Password Safe Administration Guide - BeyondTrust · 2021. 2. 25. · PasswordSafe AdminGuide7.2 ©2003-2021BeyondTrustCorporation.AllRightsReserved.Othertrademarksidentifiedonthispageareownedbytheirrespectiveowners

Password SafeAdmin Guide 21.2

©2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, ordepository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC:7/26/2021

Table of Contents

Password Safe Administration Guide 7

Log In to the BeyondInsight Console 7

Select a Display Language 8

Navigate the Console 8

Add Assets to Password Safe 10

Workflow to Add Managed Systems and Accounts to Password Safe 10

Create a Functional Account 10

Override a Functional Account Password 11

Add a Managed SystemManually 11

Add Managed Systems Using a Smart Rule 14

Add Active Directory Managed Accounts Using a Smart Rule 14

Work with Managed Systems 17

Set the Account Name Format within the Managed Assets using Password Safe Action 17

Import an SSH Server Key Using a Smart Rule 17

Manage the SSH Server Keys 18

View the BeyondInsight Details of an Asset-Linked Managed System 19

View the Standalone Managed Systems Details 19

Work with Managed Accounts 20

View Managed Accounts 20

View Managed Account Details 20

Delete Managed Accounts 21

Unlink Managed Accounts 22

Change Passwords for Managed Accounts 22

Configure Subscriber Accounts 23

Configure Password Reset for Managed Account Users 24

Use a Managed Account as a Discovery Scan Credential 26

Managed Account Aliasing 27

Work with Smart Rules 29

Predefined Smart Groups 29

Considerations When Designing Smart Rules 30

Smart Rule Processing 31

SALES: www.beyondtrust.com/contact SUPPORT: www.beyondtrust.com/support DOCUMENTATION: www.beyondtrust.com/docs 2©2003-2021 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, ordepository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

This page needed for table ofcontents. Do not delete.

View and Select Smart Rules Processing Statistics 32

Use Dedicated Account Smart Rule 33

Use Quick Groups 34

Configure Role Based Access 35

Group Features 35

Password Safe Roles 36

Create a Group and Assign Roles 37

Quarantine User Accounts 39

Configure API Access 40

Restrict Access to Password Safe Login Page 41

Configure Approvals 42

Use a Managed Account as a Credential 42

Configure LDAP Groups 43

Real Time Authorization 43

Configure Password Safe Access Policies 45

Create an Access Policy 45

Create a Connection Profile 49

Use a Predefined Connection Profile 50

Create Password Policies 51

Manage Recorded Sessions 53

View Recorded Sessions 53

Use Keystroke Search 53

Export a Session Frame 54

Archive Recorded Sessions 54

View and Restore Archived Sessions 54

Manage Active Sessions 56

View Active Sessions 56

Lock an Active Session 56

Terminate an Active Session 57

Terminate and Cancel an Active Session 57

View Keystrokes in Active Sessions 57

AddWindows Components to Password Safe 58

Add a Directory 58


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2


Add Directory Accounts 58

AddWindows Service, Task Scheduler, and IIS Application Pool Accounts to PasswordSafe Management 60

ManageWindows Service Accounts 61

ManageWindows Scheduled Task Accounts 63

ManageWindows IIS Application Pool Accounts 64

Configure Password Safe Global Settings 66

Add Databases to Password Safe 69

Auto Discover and Manage Database Instances 69

Manually Add Database Instances 69

Manage Database Instance Accounts 71

Create a Functional Account for a SQL Server Database 71

SQL Server Instance Port Retrieval 73

Add a PostgreSQL Database Instance 74

Configure Settings on the Oracle Platform 75

Oracle Internet Directories OID 79

Add Applications to Password Safe 81

Use Encryption Module for RemoteApp 82

Associate the Application with a Managed Account 82

Set Up the Access Policy 83

Set Up Role-Based Access 83

Use AutoIt Passthrough 84

Add SAP as a Managed System 85

Configure API Registration 86

Add a Custom Platform or Application Platform 88

Create a New Platform 88

Create a New Application Platform 92

Export or Import a Custom Platform 96

Export a Custom Platform 96

Import a Custom Platform or Application Platform 96

Configure SSH and RDP Connections 98

Requirements for SSH 98

Supported SSH Client Algorithms 98


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2


Auto-Launch PuTTY Registry File 100

Supported SSH Session Protocols 100

Multiple SSH Sessions 101

Enable Login Accounts for SSH Sessions 101

Use Direct Connect for SSH and RDP Session Requests 102

Configure RDP Sessions 104

Configure Session Monitoring 106

Configure Listen Host and File Location 106

Configure Concurrent Sessions 106

Use Session Masking 107

Customize Session Images 107

Configure Recorded Sessions in a Multi-Node Environment 109

Configure Keystroke Logging 109

Enhanced Session Auditing 110

Configure Algorithms used by the Session Monitoring Proxy 112

Use DSS Authentication 114

Generate and Distribute the Key 114

Create a Functional Account with DSS Authentication 114

Create a Functional Account on the Unix or Linux Platform 115

Set DSS on the Managed Account 116

DSS Key Auto Management 117

Configure Password Safe Agents 119

Configure the Password Change Agent 119

Configure the Mail Agent 119

Configure the Password Test Agent 120

Configure Session Agents for Remote Proxy Sessions 121

Add Ticket Systems to the List on the Requests Page 123

Customize Email Notifications 124

Email Notifications Sent by Password Safe 124

Customize Mail Templates 125

Configure Workgroups for Multi-Node and Multi-Tenant Environments 127

Create a Password Safe Worker Node 127

Assign a Password Safe Worker Node to a Workgroup 127


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2


Assign a Workgroup to a Managed Account 127

Assign Agents to Workgroups for Multi-Tenant Environments 129

Configure and Use Team Passwords 130

Assign a Group to a Team in Team Passwords 130

Create a Credential in Team Passwords 130

Manage Folders in Team Passwords 131

View and Copy a Credential in Team Passwords 132

Edit and Delete a Credential in Team Passwords 133


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2


Password Safe Administration GuidePassword Safe is your privileged access management solution to ensure your resources are protected from insider threats. It combinesprivileged password and session management to discover, manage, and audit all privileged credential activity.

Password Safe creates and secures privileged accounts through automated password management, encryption, secure storage ofcredentials, and a sealed operating system.

Password Safe is supported on a Unified Vulnerability Management (UVM) hardened appliance that creates and secures privilegedaccounts through automated password management, encryption, secure storage of credentials, and a sealed operating system.

More specifically, you can use Password Safe to accomplish the following:

1. Scan, identify, and profile all assets for automated Password Safe management, ensuring no credentials are left unmanaged.2. Control privileged user accounts, applications, SSH keys, cloud admin accounts, RPA accounts, and more.3. Use adaptive access control for automated evaluation of just-in-time context for authorization access requests.4. Monitor and record live sessions in real time and pause or terminate suspicious sessions.5. Enable a searchable audit trail for compliance and forensics, and achieve complete control and accountability over privileged

accounts.6. Restrict access to critical systems, including assets and applications, keeping them safe from potential inside threat risks.

Log In to the BeyondInsight ConsoleThe admin username used to sign into the BeyondInsight Console for the first time is configured during the installation process. Afterward,the credentials you use to log in to the console depend on the type of authentication configured for your BeyondInsight system.

The following authentication types can be used:

l Password Safe Authenticationl Active Directory: Create a BeyondInsight group and add Active Directory users as members.l LDAP: Create a BeyondInsight group and add LDAP users as members.l Smart Card: Configure Password Safe to allow authentication using a Smart Card PIN.l RADIUS: Configure multi-factor authentication with a RADIUS server.l Third Party Authentication: Configure Password Safe to use authentication for web tools which support SAML 2.0 standard

such as PingID, Okta and ADFS.

1. Open a browser and enter https://<servername>. You are redirected to the web console.2. Enter your username and password and then click Log In. The default username is Administrator, and the password is the

password you set for Administrator in the configuration wizard.

Note: You may need to accept a pre-login message, if one has been configured on your system.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

For more information on configuring authentication using BeyondInsight groups, Smart Card, RADIUS, and third party SAML2.0 web tools, please refer to the BeyondInsight and Password Safe Authentication Guide athttps://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/authentication/index.htm.

Select a Display LanguageBeyondInsight and Password Safe can be displayed in the following languages:

l Dutchl Englishl Frenchl Japanesel Koreanl Portuguesel Spanish

If the Show language picker option is enabled in Site Options, you can select a language from the list on the Log In page or by clickingthe Profile and preferences button, and then selecting it from the Language list.

Navigate the ConsoleOnce logged into the BeyondInsight console, you are taken to the Homepage, where the BeyondInsight suite of features is easily accessible byclicking the container cards or by clickingMenu in the left navigation menu.

Available features include:

l Assets: Display and manage all assets. Access the Smart Rules page to create and manage smart groups. Add assets toPassword Safe management.

l Smart Rules: View and mange Smart Rules.l Scan: Schedule discovery scans.l Scans: Review active, completed, and scheduled scans.l Endpoint Privilege Management: View and manage Endpoint Privilege Management events, policies, policy users, agents, file

integrity monitoring, and session monitoring.l Managed Systems: View and configure properties for Password Safe managed systems, managed databases, managed

directories, managed applications, and their associated Smart Rules.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/authentication/index.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/authentication/index.htm

l Managed Accounts: View and configure properties for Password Safe managed accounts and their associated Smart Rules.l Password Safe: Access the Password Safe web portal to request passwords and remote access sessions and to approve

requests.l Team Passwords: View and manage team credentials.l Analytics & Reporting: Access reports on collected data.l Configuration: Configure BeyondInsight and Password Safe components and objects, such as users and groups, authentication

settings, connectors, and much more.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Add Assets to Password SafeThis chapter provides a high-level overview of adding systems and accounts to be managed by Password Safe. Once assets aremanaged by Password Safe, selected users can request access to them. For details on adding specific systems, please refer to thechapter for the particular system in this guide.

A system and the associated account can be added to Password Safe in any of the following ways:

l Manually: After an asset is added to the management console, you can add the asset to Password Safe.l Smart Rules: You can create a Smart Rule with selected filter criteria, to match on the systems that you want to add to Password

Safe.l Discovery Scanning: You can run a discovery scan in BeyondInsight on a selected range of IP addresses.

Workflow to Add Managed Systems and Accounts to Password Safe

There are three ways to add systems and accounts to Password Safe:

l Add the asset manually.l Run a discovery scan and then import the assets using an address group or directory query.l Use API scripts.

The following is a high-level overview of the steps required to add systems and accounts to be managed in Password Safe.

1. Add the functional account: A functional account is one that can access the system with the privileges required to manage andchange passwords for shared accounts on the system.

2. Add the managed system: Amanaged system is a computer or device where one or more account passwords are to bemaintained by Password Safe. Managed systems can beWindows machines, Unix/Linux machines, network devices, databases,firewalls, routers, iLO machines, and LDAP or Active Directory domains.

3. Add the managed account: Amanaged account is an account on the managed system whose password is being stored andmaintained through Password Safe. Typically, managed accounts are privileged accounts that can perform administrative taskson the managed system.

4. Configure managed system settings: After a system is added to Password Safe, configure settings that apply to the managedsystem.

5. Set up role based access: Create user groups that permit users to:

l Log in to the Password Safe web portal.l Assign Password Safe roles, such as Requester or Approver.l Create access policies to permit accounts to access the systems, applications, and sessions, and to request password

releases.

Create a Functional Account

A functional account on a managed system is required to manage passwords for accounts on that managed system.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

IMPORTANT!

Do not set up a functional account as a managed account. Functional accounts have built-in management capabilities and passwordscould fail to synchronize, causing issues.

Note: The settings vary, depending on the type and platform chosen.

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Functional Accounts.2. Click Create Functional Account.3. Select a type from the list.4. Select a platform from the list.

Note: The DSS authentication and Automatic password management settings are not supported if you are using theelevated credential pbrun jumphost.

5. Provide credentials and a description for the account.6. Provide an alias. The Alias value is shown in the selectors throughout Password Safe where you must select a functional account

to use.7. Select a workgroup, if applicable.8. If desired, enable Automatic Password Management, and then select the password policy and change frequency. This option

enables automatic password changes for each managed system that this functional account is associated with at the designatedfrequency.

Note: The passwords for functional accounts cannot be retrieved through the Password Safe web portal.

9. Click Save New Account.

Override a Functional Account Password

Every managed system that uses a specific functional account has a unique password associated with that functional account. Thepassword on the managed systemmight be out of sync with the password in Password Safe. You can override a functional accountpassword from the Functional Account section in the Advanced Details of a managed system.

Add a Managed System Manually

Note: Settings vary depending on the platform type. When an account is manually added to a managed system, the defaultconfiguration of the account is set to what is configured on the managed system.

There are two ways to add a managed systemmanually. From theManaged System grid, click Create New Managed System.

Alternatively, link the managed system to an asset:


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. On the Assets page, select the system you want to manage, and thenclick the vertical ellipsis at the right end of the line.

2. Select Add to Password Safe from the menu.

3. On the Create New Managed System form, set the system settings. The settings will vary based on the platform selected. Thesettings are described in the below table.

4. Click Create Managed System.

Setting Description or ActionPlatform Select a platform type from the list.

Name Enter a unique name for the system.

Instance Number (SAP only) If you have added your SAP (System Application Products) environment to Password Safemanagement, provide the instance number.

Description Enter a description for the system.

IP Address Enter the IP address for the system.

DNS Name Enter the DNS name for the system.

Workgroup Select the system workgroup from the dropdown list.

Port Enter a port number.

NetBIOS (Windows and ActiveDirectory managed systemsonly)

Enter a unique name for the system.

Enable Automatic PasswordManagement

Toggle to automatically check and update managed account passwords at a set frequency or afterpassword releases.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Setting Description or ActionDefault Password Policy Select a Password Safe password policy or use the default policy. The policy provides the

requirements used by Password Safe to create passwords, such as password length and permittedcharacters

Elevation Select an elevated account to run as: sudo, pmrun, pbrun, pbrun jumphost.

If you are using pbrun jumpost, enter the IP address for the Privilege Management for Unix & Linuxpolicy server that you want to connect to.

Note: SSH Key Enforcement Mode is not available if you are using pbrun jumphost.

Functional Account Select a functional account from the list.

Use Login Account for SSHSessions

Create a login account to allow the user to open an SSH session in environments where remote shellaccess is not permitted, for instance the root account.

Login Account: Select the account name.Account Name Format Select an account name format from the list: sAMAccountName, UPN or domain\account.Timeout The timeout value determines the amount of time in seconds that a connection attempt to the

managed system remains active before being aborted. In most cases, it is recommended to use thedefault value (30 seconds). If there are problems with connection failures with the system, this valuecan be increased.

SSH Key Enforcement Mode Verifies SSH host keys from a known host. You can import SSH keys from a host using a Smart Rule.

Auto Accept Initial Key: The first key imported is automatically accepted. Any new key importedafter the initial key must be manually accepted.

Manually Accept Keys: SSH connections to the host are permitted for accepted keys only. If a newkey is detected from the host, the key is stored in the database and an email is sent to theAdministrators user group. The key must then be accepted or denied.

Default DSS Key Policy If you are using DSS authentication for the system, select a key policy or use the default.

Release Duration The duration that can be requested during the request process. The default value is 2 hours. Whenthe Requested Duration (as entered by the user on the Requests page in the web portal) isexceeded, the session ends if the Force Termination option is enabled for the access policy.

Max Release Duration The maximum length of time the requester is permitted to enter on the Requests page. Applies topassword and session requests. The maximum length that can be set is 365 days.

Contact e-mail Enter the email address where Password Safe system notifications will be sent.

For more information, please see the following:

l "Add SAP as a Managed System" on page 85

l "Create Password Policies" on page 51

l "Enable Login Accounts for SSH Sessions" on page 101

l "Set the Account Name Format within the Managed Assets using Password Safe Action" on page 17

l "Import an SSH Server Key Using a Smart Rule" on page 17

l "Manage the SSH Server Keys" on page 18


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l "Set DSS on the Managed Account" on page 116

l "Configure Password Safe Access Policies" on page 45

Add Managed Systems Using a Smart Rule

You can add assets to Password Safe using an asset based Smart Rule.

Tip: Before proceeding, consider the selection criteria to use to add the assets. There are several options available, includingOperating System and Directory Query.

Note: SSH key enforcement is not supported when using the pbrun jumphost elevated credential. The settings display asavailable after pbrun jumphost is selected. However, the settings will not work with the elevated credential.

1. Select Smart Rules from the left navigation pane.2. From the Smart Rule Type filter dropdown list, select Asset.3. Click Create Smart Rule +.4. Select a Category from the dropdown list.5. Enter a Name and Description for the Smart Rule.6. Select a Reprocessing Limit from the dropdown list.7. Set one or more Selection Criteria.8. Select the filter criteria. Address groups are very useful here.9. In the Actions section, selectManage Assets Using Password

Safe from the list.10. Select the platform, functional account, and other settings. The

settings are the same as when you add the systemmanually.11. In the Actions section, click Add another action.12. Select Show asset as Smart Group from the list. This is helpful for grouping assets and accounts by their type.13. Click Create Smart Rule.

For complete descriptions, please see "Add a Managed SystemManually" on page 11.

Add Active Directory Managed Accounts Using a Smart Rule

You can create a Smart Rule that discovers and adds Active Directory accounts to Password Safe, using the below procedure. Theprocedure also shows how to link domain accounts to the system.

Note: A Directory Query and a domain should be created prior to creating a Smart Rule.

1. From the left navigation in the console, select Smart Rules.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. From the Smart Rule type filter list, selectManaged Account.3. Click Create Smart Rule +.4. Select the Selection Criteria as applicable:

l Asset Smart Group: Select a smart group from the list.l Child Smart Rule: Select a Smart Rule you want to filter the child Smart Rules from.l Dedicated Account: Select an account filter from the list. Enter a keyword to search on.l Directory Query: Choose to Include or Exclude accounts from Directory Query.

o Select a query from the list.o Provide the frequency for the query to run. Leave the entry as 0 for a one time run.o Enable the Discover accounts for Password Safe Managementoption to discover accounts when the Smart

Rule processes.

o Select a Domain from the list.

l Managed Account Fields: This filter only applies to existing managed accounts.

o Select a filter: Account Name, Create Date, Description, Domain Name, Last Change Date or Last ChangeResult.

o Select an expression, and then enter a keyword to search on, for example,WIN for Windows.

l Managed System Fields: The smart rule will be filtered according to the Managed System you select.

o Select a filter: System Name, Create Date, Last Update Date.

o Select an expression, and then enter a keyword to search on, for example,WIN for Windows.

l Platforms: Select a platform or check Select All.l User Account Attribute: Select the attribute from the list, and then provide the filter condition and value for that attribute.

For each attribute filter, select Yes for Discover accounts for Password Safe Management, and then select a smartgroup to search in.

o Privilege: Select is one of or is not one of. Select All or one, or a combination of Administrator,Guest, or User.o SID: Select an expression, and then enter a keyword to search on.o Account Name: Select an expression, and then enter a keyword to search on.o Password Age: Select an expression, and then select age parameters to search on.

5. In the Actions section, selectManage Account Settings to add the accounts that match on the criteria to Password Safe. Thesettings are the same as when you add the accounts manually.

6. Additional properties can be set under Actions:

l Assign preferred Domain Controller on each Active Directory account: Select the Active Directory domain andDomain Controller from the lists.

l Assign workgroup on each account: Used with agent workgroups in multi-active deployments, this action allows you todefine groups of accounts that will be assigned to specific password change agents. Select a workgroup from the list, orselect Any.

l Link domain accounts to Managed Systems:When used with Directory Accounts filter criteria, this action creates alinked association between the directory accounts and the target asset smart groups for role-based access control.

l Map Dedicated Accounts To: Use only when the Dedicated Accounts filter criteria is selected. This action identifies thegroup of user accounts that will be used to match against the dedicated account mask condition.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Send an email Alert: Select to send an email alert when the Smart Rule processes. The email will contain a summary ofthe results the managed accounts matched by the Smart Rule and any changes since its last execution.

l Set attributes on each account: Select to assign an attribute to filter and sort managed accounts. When viewing thesmart groups on theManaged Accounts page, the groups are organized based on the filters selected in the smart group.You can use the default attributes that are available or create an attribute on the Configuration page. When the SmartRule runs, the attribute is applied to all managed accounts that match on the selected filter criteria.

10. Under Actions, click the link to Add another action, and then select Show managed account as Smart Group.11. Click Create Smart Rule.


l "Add a Managed SystemManually" on page 11

l On adding Active Directory accounts manually, "Add Directory Accounts" on page 58


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Work with Managed SystemsAmanaged system is any system that is managed by Password Safe. Allmanaged systems can be viewed on theManaged Systems page, byselecting the built-in smart group All Managed Systems from the SmartGroupmenu in the console.

Set the Account Name Format within the Managed Assets using Password Safe Action

You can set the user account format when adding the following platforms as a managed system:

l Windowsl Linuxl Oraclel MS SQL Serverl Active Directory

The following format types are supported:

l Domain\Account name: Enter the domain and user account namel UPN: Uses the format xxx@DomainNamel sAMAccountName: Uses the Active Directory sAMAccountName

When you add managed systems using an asset-based smart group, theAccount Name Format setting is available when a supported platform isselected.

If the smart group already exists, you must remove the managed assetsusing Password Safe, then add the assets again before you see theAccount Name Format setting.

Import an SSH Server Key Using a Smart Rule

You can import SSH Server keys from a host and accept the key on theManaged System Advance Details page.

Supported key types are RSA, DSA, and ECDSA.

1. Navigate to the Configuration > General > Smart Rules page.2. Within the Smart Rule filter, select Asset, and then click Create New Smart Rule.3. Enter a name, description, and category.4. Create the filter settings. For example, select an address group that includes the IP addresses for the hosts.5. In the Perform Actions section, selectManage Asset Using Password Safe.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

6. Select a key enforcement mode: Auto Accept Initial Key orManually Accept Keys.

7. Click + to add another action, and then select Show Asset asSmart Group.

8. Click Save.

Note: The settings here are the same as when adding a system on the Create Managed Systems page. For moreinformation, please see "Add a Managed SystemManually" on page 11.

Manage the SSH Server Keys

After the Smart Rule processes, hosts with SSH server keys are populated in the smart group you created.

An email notification is sent to the Administrators user group when a key is imported and the Key Enforcement Mode is set toManuallyAccepted Keys. The email notifies the administrators that a fingerprint requires action, what asset the key is on, and also provides detailsabout the fingerprint.

Note: The Fingerprint Verification email template can be modified on the Configuration page. For more information, pleasesee "Customize Mail Templates" on page 125.

Accept or Deny a Key:

1. In the BeyondInsight console, go to theManaged Systems page.2. Select the managed system from the grid, and then click the vertical ellipsis at the right end of the line.3. SelectGo to advanced details....4. Select the Server Keys tab.5. Within the Server Keys table, select the server key you wish to

work with.6. From the Server Keys action (vertical ellipsis):

l If auto approved, no further action is required.l If manually approved, click Accept or Deny.

7. After a key is accepted, from the Functional Accounts tab, clickthe Test Functional Account button to verify the key with thefunctional account.

Add a Key Manually:

1. In the BeyondInsight console, go to theManaged Systems page.2. Select the managed system from the grid, and then click the vertical ellipsis at the right end of the line.3. SelectGo to advanced details...


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

4. Select the Server Keys tab.5. From the Server Keys table, click the Create New Server Key

button.6. Select a key type. Enter a Fingerprint and a Description.7. Click the Create Key button.8. After a key is added, from the Functional Accounts tab, click the

Test Functional Account button to verify the key with thefunctional account.

Note: The fingerprint must be unique. An error message is displayed if the key is already imported.

View the BeyondInsight Details of an Asset-Linked Managed System

You can view the asset details, such as hardware, ports, scheduled tasks, and smart groups associated with the asset.

1. In the BeyondInsight console, go to the Assets page.2. Select an asset from the grid.3. Click the vertical ellipsis button for the asset.4. SelectGo to advanced details...5. Click through the tabs to view more details on each topic.

View the Standalone Managed Systems Details

You can view the managed system details, such as its identifying details, attributes, and policies, as well as managed accounts, smartgroups, linked accounts, server keys, functional accounts, and login accounts associated with the managed system.

1. In the BeyondInsight console, go to theManaged Systems page.2. Select a managed system from the grid.3. Click the vertical ellipsis for the managed system.4. SelectGo to advanced details....5. All managed system details are displayed under Details &

Attributes for quick access.6. To see more granular details, click through the tabs to view details

on each topic.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Work with Managed AccountsManaged accounts are user accounts which are local or active directory accounts on the managed system.

View Managed Accounts

When viewing managed accounts, the first 100 accounts are displayed inthe grid. You can change the number of items displayed on the page usingthe Items per page dropdown at the bottom of the grid. You can use theSmart Group filter to filter the list by smart group and you can also filter thelist by various attributes using the Filter by list.

View Managed Account Details

After the account is added to Password Safe management, you can:

l Review the attributes and settings assigned to the account, such its identifying details, settings, and policies.l View managed systems linked to the account.l View smart groups associated with the account, along with their last process date and processing status.l See which accounts are synced to the managed account.l View a list of password changes and the reason for each change.

To view details on a specific managed account:

1. From the left menu in BeyondInsight, selectManaged Accounts.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. Select the managed account, and then click the vertical ellipsis button for theaccount.

3. SelectGo to advanced details.

4. All managed account details are displayed under Details &Attributes for quick access.

5. To see more granular details, click through the tabs to view detailson each topic.

Delete Managed Accounts

Managed accounts can be deleted, except for synced accounts. A message is displayed if an account cannot be deleted.

1. From the menu, selectManaged Accounts.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. Select the account or multiple accounts you want to delete, andthen click the Delete button above the grid.

3. Click Delete on the confirmation message.

Unlink Managed Accounts

You can unlink managed accounts from managed systems; however, this applies to Active Directory accounts only. If accounts included inthe unlink selection are not domain accounts, no action is taken on those accounts.

1. From the menu, selectManaged Accounts.2. Select the account or multiple accounts you want to unlink, and then

click the Unlink button above the grid.

3. Click Unlink on the confirmation message.

Change Passwords for Managed Accounts

1. From the menu, selectManaged Accounts.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. Select the account or multiple accounts for which you want tochange the password, and then click the Change Password buttonabove the grid.

3. Click Change Password on the confirmation message.

Configure Subscriber Accounts

Any managed account can be synced to multiple accounts. These synced accounts become subscribers to the managed account. Themanaged account and all of its subscribers always share an identical password. When the password of the managed account or any of thesubscriber accounts is changed, Password Safe automatically changes the password of the primary managed account and all of itssubscribers to a new password.

Once an account is synchronized as a subscriber account, settings modifications are limited to:

l Enable APIl Allow for scanningl Application

To sync an account:

1. From the left menu in BeyondInsight, selectManaged Accounts.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. Select a managed account, and then click the vertical ellipsis button for theaccount.


4. Under Advanced Details, select Synced Accounts.5. Select the account or multiple accounts that you want to sync.6. Click Sync Accounts.

7. To remove a synced account, select the account, and then click theUnsync Accounts button above the grid.

Configure Password Reset for Managed Account Users

You can grant managed account users permission to reset the password on their own managed account, without granting thempermission to reset passwords on other managed accounts. You can do this by creating a group, adding the managed account to thegroup, and then assigning permissions and the Credential Manager role to the group.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. In the BeyondInsight console, go to Configuration > Role BasedAccess > User Management.

2. UnderGroups, click Create New Group.3. Select Create a New Group.4. Provide a name and description for the group, and then click Create

Group.

5. From theGroup Details pane, select Users, and then assign usersto the group.

6. From theGroup Details pane, select Features.7. Select theManagement Console Access and Password Safe Account Management features, and then click

Assign Permissions.8. Select Assign Permissions Read Only. Do not grant Full Control.9. From theGroup Details pane, select Smart Groups.10. Filter the list of smart groups by Type > Managed Account.11. Select the smart group that contains the applicable managed

accounts.12. Click the vertical ellipsis button for the smart group, and then select

Edit Password Safe Roles.

13. Select the Credentials Manager role, and then click Save Roles.

The managed account user can now log in to the console and reset the password for the managed account as follows:

1. Go to theManaged Accounts page.2. Select the account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

3. Click the vertical ellipsis button for the account.4. Select Change Password.

Use a Managed Account as a Discovery Scan Credential

Amanaged account can be used as a credential when configuring a discovery scan.

Note: Once the Scanner option is enabled, the key must be specified again if the account is edited. It can be the same key ora new one.

The following credential types are supported:

l Windows,l SSHl MySQLl Microsoft SQL Server.

The following platforms are supported:

l Windowsl MySQLl Microsoft SQL Serverl Active Directoryl Any platform with the IsUnix flag (AIX, HP UX, DRAC, etc)

To add the managed account as a scan credential:

1. Go to theManaged Accounts page.2. Select the managed account, and then click the vertical ellipsis button for the account.3. Select Edit Account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

4. Expand Scanner Settings.5. Click the slider to enable the scanner.6. For the Scanner Credential Description, enter a name for the

account that can be selected as the credential when setting up thescan details. The name is displayed on the CredentialsManagement dialog box when setting up the scan.

7. Assign and confirm a key so that only users that know the key canuse the credential for scanning.

8. Click Update Account.

Managed Account Aliasing

Aliases are accessible using the API only. Account mappings can be changed without affecting the alias name. At least one managedaccount is required to be mapped for the alias to be active; when an alias has two or more managed accounts mapped, it is considered tobe highly available. An account can only be mapped to one alias. Managed account aliases can be accessed from Configuration >Privileged Access Management > Managed Account Aliases.

Create a New Alias

1. In the BeyondInsight console, go to Configuration > PrivilegedAccess Management > Managed Account Aliases.

2. Click Create New Alias.3. Enter a name, and then click Create Alias.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

The new alias appears on the grid under Account Mappings, whichdisplays all aliases ready to be mapped. New aliases show as Unmappeduntil they are associated with accounts.

Note: Each managed account can only be mapped to a singlealias.

You can use the dropdown to select which accounts to display: All Accounts,Mapped, or Unmapped Accounts only.

The Filter-by allows you to filter accounts by System, Account Name, Account Status, or Last Changed Date.

To unmap an account, select the account and click the broken link icon.

Mapped accounts have three status values:

l Active: The account credentials are current and can be requested.l Pending: The account credentials are current but the password is

queued to change..l Inactive: The account password is changing.

The list of mapped accounts is rotated in a round-robin fashion, typically inorder of last password change date. The preferred account, or the accountwhose status is active and has the oldest change date, is returned on theAlias API model.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Work with Smart RulesYou can use smart groups to add assets, systems, and accounts into Password Safe management. The Smart Rule filters that youconfigure for the smart groups determine the assets that will be added as managed systems and managed accounts in Password Safe.

There are four types of Smart Rules available with a Password Safe license: Asset,Managed Account,Managed System, and PolicyUser.

You can use Smart Rules to add the following types of assets:

l Systemsl Network Devicesl Databasesl Local Linux andWindows accountsl Active Directory accountsl Dedicated accounts

Note: The settings in a Smart Rule override the settings configured on the managed system.

For more information on using Smart Rules, please see the BeyondInsight User Guide athttps://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/smart-rules/index.htm.

Predefined Smart Groups

By default there are smart groups already defined and created.

The following tables list smart groups useful in Password Safe environments.

Asset Based Smart Groups

Smart Group Category DefinitionAll Assets in PasswordSafe

Assets and Devices All assets under Password Safe management.

Recent Assets not inPassword Safe

Assets and Devices All assets discovered in the last 30 days that have not yet been added toPassword Safe.

Recent NonWindowsAssets not in PasswordSafe

Assets and Devices All non Windows assets discovered in the last 30 days that have not yet beenadded to Password Safe.

Recent Windows Serversnot in Password Safe

Servers Windows servers discovered in the last 30 days that have not yet been added toPassword Safe.

Recent Virtual Serversnot in Password Safe

Virtualized Devices Virtualized server assets discovered in the last 30 days that have not yet beenadded to Password Safe.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/smart-rules/index.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/smart-rules/index.htm

Managed System Smart Rules

Smart Rule Category DefinitionDatabase ManagedSystems

Types Database Managed Systems

Directory ManagedSystems

Types Directory Manged Systems

Cloud Managed Systems Types Cloud Managed Systems

Asset Managed Systems Types All Managed Systems associated with BeyondInsight Assets

All Managed Systemsassociated withBeyondInsight Assets

Managed Systems All Managed Systems associated with BeyondInsight Assets

All Managed Systems notassociated withBeyondInsight Assets

Managed Systems All Managed Systems not associated with BeyondInsight Assets

All Managed Systems Managed Systems All Managed Systems

Recently AddedManaged Systems

Managed Systems Managed Systems added less than 30 days ago

Managed Accounts Smart Groups

Smart Group DefinitionAll Managed Accounts All accounts managed by Password Safe.

Recently Added ManagedAccounts

Filters on managed accounts added less than 30 days ago.

Database Managed Accounts Filters on the database platform and includes SQL Server and Oracle platforms.

Hardware Device ManagedAccounts

Filters on hardware devices including Dell DRAC and HP iLO platforms.

Linux Managed Accounts Filters on the Linux platform.

Mac Managed Accounts Filters on the macOS platform.

Unix Managed Accounts Filters on the Unix platform.

Windows Managed Accounts Filters on the Windows platform.

Considerations When Designing Smart Rules

l The filter criteria is processed hierarchically. When creating the filter structure, place the filters that reduce the largest number ofentities at the top of the hierarchy.

l When adding Active Directory accounts using a directory query, ensure the query is as restrictive as possible. For example,configure the query on a smaller set of data in your environment.

l When adding assets to Password Safe, be cautious about creating more than one Smart Rule with the same systems or accounts.If the Smart Rules have different actions, they will start continually overwriting each other in an endless loop.

l There can be delays when a Smart Rule depends on external data source, such as LDAP, as processing can take longer. Forexample, a directory query that uses the discover accounts feature (managed account Smart Rule) or discover assets feature(asset based Smart Rule).


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Smart Rule Processing

A Smart Rule processes and updates information in smart groups when certain actions occur, such as the following:

l The Smart Rule is edited and saved.l A timer expires.l You manually kick off the processing by selecting the Smart Rule from the grid on the Smart Rules page, and then click Process.

Note: The Process action from the grid on the Smart Rules page does not apply to Managed Account Quick Group SmartRules, because these only run once upon creation and cannot be triggered to run again.

l A Smart Rule with Smart Rule children triggers the children to run before the parent completes.l Managed account Smart Rules with selection criteria Dedicated Account will process when a change to a mapped group is

detected. This can occur in the following scenarios:

o A new user logs on.o The group refreshes in Active Directory by an administrator viewing or editing the group in Configuration > Role Based

Access > User Management.

Change the Processing Frequency for a Smart Rule

By default, Smart Rules process when asset changes are detected. The assets in the Smart Rule are then dynamically updated. ForSmart Rules that require more intensive processing, you might want Smart Rules to process less frequently.

To provide more restrictive processing, you can select alternate frequency settings to override the default processing. The Smart Ruleswill process in the selected time frame (for example, the rule will process once a week).

When creating a new Smart Rule or updating an existing one, select yourdesired frequency from the Reprocessing limit list in the Details section.

Note: A Smart Rule will always process when first saved orupdated.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

View and Select Smart Rules Processing Statistics

The Smart Rules grid displays some processing statistics by default. Additional Smart Rules processing statistics, such as ProcessedDate, Successful Attempts, and Failed Attempts are available and can be displayed in the Smart Rules grid.

To add this information to the grid:

1. From the left menu in the BeyondInsight console, click Smart Rules.2. Click the Column chooser icon in the upper right of the grid.3. Click the desired column to add that information to the grid.

l Check marks indicate columns currently displayed.l You can remove a displayed column by clicking the column name in the

Column chooser list.l If there are more columns displayed than can fit in the width of the screen,

a scroll bar appears at the bottom of the grid. It may be necessary to scrollsideways to view any additional columns.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Use Dedicated Account Smart Rule

A dedicated account Smart Rule allows you to dynamically map dedicated administrator accounts outside of BeyondInsight to users in aBeyondInsight group.

1. In the console, clickManaged Accounts.2. ClickManage Smart Rules.

3. Click Create Smart Rule.4. Under Selection Criteria, select Dedicated Account, and then

define filter rules.5. Under Actions, selectMap Dedicated Accounts To, and then

select a user group.6. Click Add another action.7. Select Show managed account as Smart Group.8. Click Create Smart Rule.

After setting up the Smart Rule, you must assign permissions and roles to the group.

1. In the console, click Configuration.2. Under Role Based Access, click User Management.3. Select the group.4. Click theMore Options button for the selected group.5. Click View Group Details.

6. In theGroup Details pane, click Smart Groups.7. In the Smart Group Permissions pane, select the newly created

dedicated account smart group.8. Click Assign Permissions > Assign Permissions Read Only.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Note: If there is more than one match to the usernames whichmatch the criteria in the dedicated accounts smart group, youmust edit the smart group to exclude the duplicate matches.

Use Quick Groups

For a simpler way to organize managed accounts, you can group them using a Quick Group. The default processing time on a QuickGroup isOnce.

1. In the console, clickManaged Accounts.2. From the Smart Group filter, select an existing Smart Group where

the managed accounts are members.3. Check the boxes for the managed accounts that you want to add to

the Quick Group.4. Click Add to Smart Group.5. SelectQuick Groups from the Category list, and then select a

Quick Group from the Smart Group list or create a new one.

6. Quick Groups are displayed in aQuick Groups category on theSmart Rules page.

7. You can change the name and description by clicking theMoreOptions icon, and then selecting View Details.

Note: You can add and remove accounts from Quick Groups on theManaged Accounts page. You cannot add or modifyfilters or actions for Quick Groups.

For more information about Smart Rule processing, please see "Change the Processing Frequency for a Smart Rule" on page31.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure Role Based AccessCreating groups gives you great flexibility in delegating access to managed systems. Permissions provide access to BeyondInsightsystem components, while Password Safe roles determine the scope of access to managed systems.

l Group permissions: Permissions are assigned when you create a group. Permissions are system-wide and provide access tovarious components of the BeyondInsight infrastructure. There are permissions that are specific to accessing and using featuresof the Password Safe application.

l Password Safe roles: The roles define the actions that Password Safe users can take when using the Password Safe web portalfor password releases or access to applications.

Group Features

The following table provides information on the Password Safe features that you can assign to your groups.

Feature Full Control permission assignedPassword Safe AccountManagement

Grants permissions to the following features on theManaged Accounts page:

l Bulk delete accountsl Add accounts to a Quick Groupl Remove accounts from a Quick Groupl Add, edit, and delete accounts

Password Safe Admin Session Allows non ISA users access to the Admin Session feature in Password Safe.

Using an Admin Session allows administrators to open ad-hoc RDP / SSH sessions without goingthrough the request process.

Password Safe Bulk PasswordChange

Use the bulk password change feature on theManaged Accounts page.

Password Safe RoleManagement

Manage roles provided they have the following permissions: Password Safe Role Managementand User Accounts Management.

Password Safe SystemManagement

Users can manage systems on theManaged Systems page, including:

l Create, change, and remove directory and cloud systemsl Link and unlink directory accounts to managed systems

Note: Password Safe Account Management is needed with Password Safe SystemManagement to manage Password Safe accounts. Full Control is required for both.

Smart Rule Management -Managed Account

Users can create and edit Managed Account Smart Rules.

Smart Rule Management -Managed System

Users can create and edit Managed System Smart Rules.

Team Passwords Users can access the Team Passwords feature.

In addition to Password Safe features permissions, users need the following general permissions:


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Asset Management Read, create, and delete assets and databases.

Management Console Access Access to log on to the management console.

Password Safe Roles

In Password Safe, a role is the connection between a Password Safe user account and a managed system. A role defines what the user orgroup can do with respect to that managed system.

Role DescriptionRequester Users can submit a request to retrieve a managed password or file.

When assigning the Requester role, you must select an access policy.

Approver Users can approve requests for the release of managed passwords or files.

Typically, system administrators and network engineers are assigned to this role.

Requester/Approver With this cross-functional role, a user can submit or approve requests for password or file releases.However, an approver cannot approve their request when dual control is enforced.

This role is typically used in a peer approval environment.

Information SecurityAdministrator

This role is responsible for setting up managed systems and accounts.

The ISA role provides the functionality required for security help desk personnel. The ISA role candelegate limited authority to those responsible for resource management.

The role enables a user to bypass every workflow and security measure, like approval workflows orchecked out accounts. So even if another user already checked out an account and the password isknown by this user, an ISA user can look at the password.

Auditor Users can:

l Log on and run reports in BeyondInsight Analytics & Reportingl View Replay Sessions in the web portal

The Auditor role can be assigned with other roles.

No Roles Assign this role to remove any previously assigned roles to a user group.

Credentials Manager Users can set credentials using the PUT ManagedAccounts/{accountId}/Credentials API.Recorded Session Reviewer Users can view and take action on recorded Password Safe sessions, including:

l Add commentsl Mark the session as reviewedl Archive sessions if configured on the appliance

Active Session Reviewer Users can view and take action on active Password Safe sessions, including:

l Lock sessionl Terminate the sessionl Cancel the request

On all systems where a user is granted the ISA role, the user can change the following system details:

l Grant users/groups roles to the managed system.l Review release requests.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Add and change accounts on managed systems.l Assign a system to a collection (provided the ISA role is granted to the user for both the system and the collection).l Remove their ISA role from a system.

The roles that you can assign vary depending on the Smart Rule type.

l Asset Based Smart Rule: Roles only include the ISA role and Auditor role.l Managed Accounts Based Smart Rule: Roles include most roles.

Create a Group and Assign Roles

Note: You cannot assign roles to the BeyondInsight administrator.

Roles are only available to BeyondInsight features.

1. From the left navigation pane in the console, select Configuration.2. Under Role Based Access, select User Management.3. Click Create New Group.4. Select Create a New Group.5. Enter a name and description for the group.6. Click Create Group.

l Assign users to the group:

o UnderGroup Details, select Users.o From the Show dropdown list, select Users not assigned.o Filter the list of users displayed in the grid by Type, Username, Name, Email, and Domain, if desired.

o Select the users you wish to add to the group, andthen click Assign User.

7. Assign features permissions to the group:

l UnderGroup Details, select Features.l Filter the list of features displayed in the grid using the Show and Filter by dropdown lists.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Select the features you wish to assign permissions to, and then click Assign Permissions.l Select Assign Permissions Read Only or Assign Permissions Full Control.

8. Assign smart groups permissions and roles to the group:

l UnderGroup Details, select Smart Groups.l Filter the list of smart groups displayed in the grid using the Show and Filter by dropdown lists.l Select the smart group or groups you wish to assign permissions to, and then click Assign Permissions.l Select Assign Permissions Read Only or Assign Permissions Full Control.l Select the smart group you wish to assign Password Safe

roles to, and then click theMore Options button.l Select Edit Password Safe Roles.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Select the role(s). If selecting Requestor, also select anAccess Policy from the dropdown list.

l Click Save Roles.

Quarantine User Accounts

You can turn on the quarantine feature as a preventative measure when suspicious activity is detected. When quarantine is turned on, theuser account can no longer log in to the console or API, and any active sessions are terminated immediately.

The difference between account lockout and account quarantine is that account lockout cannot terminate sessions.

The setting is turned on at the user account level as follows:

1. From the left navigation pane in the console, select Configuration.2. Under Role Based Access, select User Management.3. Under Users, select the user account.4. Click theMore Options button, and then select Edit User Details.5. Enable the Account Quarantined option.6. Click Update User.

Set the Refresh Interval on the Quarantine Cache

You can set the length of time that passes before the cache is updated with the user accounts from the database. The quarantine is onlyapplied to the user account after the cache is updated.

The user can remain logged in and sessions remain active up until the refresh interval time passes (and the cache is updated with thequarantine status).


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. From the left navigation in the console, select Configuration.2. Under System, click Site Options.3. Under Session, enter the number of seconds that pass before the cache is updated with the most recently discovered quarantined

user accounts.

The default value is 600 seconds (10 minutes). The maximum value is 1200 seconds (20 minutes).

4. Click Update Session Options.

Configure API Access

When using the Password Safe API, the group where the users are assigned must permit access to the API. Additionally, any managedaccounts that must be accessible by the API must also be configured.

Configure Group with API Access

A BeyondInsight user will have API access if at least one of the user groups they belong to has API access enabled.

1. From the left navigation pane in the console, select Configuration.2. Under Role Based Access, select User Management.3. Select the group, and then click theMore Options button.4. Select View Group Details.5. UnderGroup Details, select API Registrations.6. Select the API registrations for the group.

Enable API Setting for Managed Account

You must turn on API access for a Password Safe managed account to be accessible to the API methods.

1. SelectManaged Accounts.2. Click theMore Options button for a managed account, and then select Edit Account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

3. Expand Account Settings, and then click the toggle to change theAPI Enabled option to yes.

4. Click Update Account.

Restrict Access to Password Safe Login Page

When using SAML authentication to access the Password Safe web portal, you might not want users to log in directly to the web portalURL. You can disable direct access to the Password Safe web portal URL. Users must then always provide the SAML credentials beforegaining access to the web portal.

The setting can be applied to Active Directory, LDAP, and local BeyondInsight users.

The following procedure assumes the group and user are already created.

1. From the left navigation pane in the console, select Configuration.2. Under Role Based Access, select User Management.3. Click Users to display the list of users in the grid.4. Select a user, and then click theMore Options button.5. Select Edit User Details.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

6. Click the toggle to change the Disable Login Forms option to yes.

Configure Approvals

You can control the number of approvers required for a requester. You can also control the number of approvers required for each accesstype: View Password, RDP, and SSH. This is configured in an access policy, which can then be assigned to a group when assigningPassword Safe roles to the group.

For more information, please see "Create a Group and Assign Roles" on page 37.

Use a Managed Account as a Credential

You can use a managed account for the credential when you are configuring queries and user groups for Active Directory and LDAP.

Note: You cannot delete a managed account if it is used as a credential for a user group. You can delete a managed accountused as a credential for a directory query; however, the query will no longer run. You must select another credential for thequery to run again.

For more information on managed account settings, please see "Use a Managed Account as a Discovery Scan Credential" onpage 26.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure the Managed Account

Before you configure the query or group, the managed account must be in place and specific settings must be selected.

When you configure the managed account settings, be sure to select the Allow this account to be used in BeyondInsight andDirectory Queries option.

If there are several managed accounts organized in a smart group, select Enable Accounts for AD/LDAP queries in the Smart Rule.

IMPORTANT!

Disable the Change Password After Release option on the managed account, as log files can grow significantly in a short timewhen using managed account credentials with a directory query.

Configure the Query

Active Directory and LDAP queries can use a managed account as a credential.

An Active Directory or LDAP group can use a managed account as the credential. When you create the group, the managed account islisted as a credential.

For more information on creating directory queries, please see the The BeyondInsight User Guide athttps://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/tools/create-directory-queries.htm.

Configure LDAP Groups

Before logging in to Password Safe using LDAP, you must configure an LDAP group.

For more information on creating and configuring LDAP groups, please see the The BeyondInsight User Guide athttps://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/role-based-access/configure-groups.htm.

Real Time Authorization

Real Time Authorization allows administrators to remove users from groups while they are logged in with a directory account and use theregistry key to perform an additional check to ensure that the user still has access to the password at the time they requested it. This putsthe user through the log in process every time a password is requested.

Enable the following registry key to turn on this feature:

HKLM\SOFTWARE\BeyondTrust\PBPS\EnableCheckoutAuthorization


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/tools/create-directory-queries.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/tools/create-directory-queries.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/role-based-access/configure-groups.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/role-based-access/configure-groups.htm

After the user is removed from the group, they will receive the followingerror message when they request password access:Missing requiredPassword Safe role.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure Password Safe Access PoliciesAn access policy defines the time frame and frequency that users can request passwords, remote access sessions, or access applicationsunder Password Safe management.

An access policy is selected when you are configuring the Requester role.

Create an Access Policy

1. In the console, navigate to Configuration > Privileged Access Management Policies > Access Policies.2. In the Access Policies pane, click Create New Access Policy.

3. Enter a name for the policy, and then click Create Access Policy.

4. On the Basic Details tab:

l Enter a description for the policy.l Enable the Email Notifications option to send emails when a request is received for the policy.l Enter an email address, and then click Add.

Note: Multiple addresses cannot be added at once. Each email address must be added one at time.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

5. Select the Schedule tab, and then click Create Schedule.

6. Configure the following scheduling parameters:

l Time Range: Select the time of day when the policy can be accessed.l Date Range: Select a data range.l Recurrence: Select the frequency that the access is available. If you select Daily, and then select Every Day, you can

optionally select Allows multi-day check-outs of accounts. This option allows the user continuous access to a grantedrequest over a span of days.

7. Select the Enable Location Restrictions option if applicable, and then select a location from the list.8. If applicable, select an address from the X-Forwarded-For list. This field is an allowed value of X-Forwarded-For header, which

was added by an F5 load balancer or proxy. It uses address groups to verify if the IP address is to be in that list. The URL andnamed host will be ignored. If the X-Forwarded-For field has a value of Any, then no X-Forwarded-For header is required orverified. In the case where it is configured, the X-Forwarded-For header is required and its value should be in the list of IPs in theaddress group.

Note: In the case of a new configuration, this error message can be found in the log:

CheckLocationAllowed: XForwardedForHeaderValue 1.1.1.1 is not registered/trusted. Addthis XForwardedForHeaderValue to the TestGroupName Address group

9. Select the type of access that you are permitting: View Password, RDP, SSH, or Application.10. For each type of access selected, configure the parameters as required. Descriptions for each parameter are as follows:

Approvers Select the number of approvers required to permit access. CheckAuto Approve if the requests do not require any approvers.

Allow API Rotation Override Check this option for View Password access, to allow API callerssuch as Password Safe Cache to override the ChangePassword After Any Releasemanaged account setting for view-type requests.

Record Check the box to record the session.

Keystroke Logging Keystrokes can be logged during RDP, SSH, and applicationsessions. Uncheck the boxes for each policy type to disablekeystroke logging for that type.

Enhanced Session Auditing Enhanced session auditing applies to RDP and applicationsessions and is on by default. Uncheck the box to turn offenhanced logging.

Concurrent Set the number of sessions permitted at a time. Check Unlimitedto permit the user any number of connections to occur at the sametime.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Log off on Disconnect Check this box to automatically log off the user when theconnection to the session disconnects or the session windowcloses. This option applies only to RDP and RDP applicationsessions.

Force Termination Check this box to close the session when the time period expires.When Log off on Disconnect is also selected, the user is loggedoff the session. This check box applies to RDP, SSH, andapplication sessions.

When the Requested Duration (as entered by the user on theRequests page in the web portal) is exceeded, the session ends ifthe Force Termination box is checked for the access policy.

The default and maximum release durations are configured on theManaged Accounts page andManaged System Settings page.

RDP Admin Console Select this option to show the RDP Admin Console check box onRDP-based requests. This option allows administration of aRemote Desktop Session host server in console mode (mstsc/admin). This can be useful if the number of remote sessions ismaxed out on the host.

Using the RDP Admin Console allows you to use a remote sessionwithout requiring other sessions to disconnect. Running a remotesession using the RDP Admin Console disables certain servicesand functionality, such as, but not limited to:

l Remote Desktop Services client access licensingl Time zone redirectionl Remote Desktop Connection Broker redirectionl Remote Desktop Easy Print

Connection Profile Select a profile from the list or clickManage Connection Profilesto be taken to the Connection Profiles page to create a newprofile.

11. Under Policy Options:

l If you want users to provide a reason when making requestsin Password Safe, click the toggle for the Reason isrequired for new requests option to enable it.

l If you want users to provide a ticket number for a ticketingsystem when making requests in Password Safe, click thetoggle for the Require a ticket system and a ticketnumber for requests option to enable it.

o Once enabled, select the Ticket System from thedropdown. If you leave the Ticket System as UserSelected, the user can select any ticket system fromthe list when making their request. If you select aspecific ticket system for this option, the user is unable to change the ticket system when making their request.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

12. Click Create Schedule. If the Access Policy is not yet marked as available, you are prompted to activate it now.13. Click Save Access Policy.

The access policy can now be assigned to a group as follows:

1. Select the Assignees tab for your newly created access policy.2. ClickManage Assignees. You are taken to the User Management page.3. Select theMore Options icon for a group, and then select View Group Details.4. UnderGroup Details, select Smart Groups.5. Select theMore Options icon for a smart group, and then select

Edit Password Safe Roles.

6. Select the access policy from the Access Policy for Requestordropdown.

7. Click Save Roles. The group is now listed as an assignee on theAssignees tab.

For more information, please see the following:l "Configure Keystroke Logging" on page 109

l "Enhanced Session Auditing" on page 110

l For configuring release durations, "Add a Managed SystemManually" on page 11

l For information on how to usemstsc /admin, mstsc at https://docs.microsoft.com/en-us/windows-


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc


server/administration/windows-commands/mstsc

l "Create a Connection Profile" on page 49

Create a Connection Profile

Connection profiles allow administrators to create a blacklist of keywords, host names, and IP addresses. Each blacklisted item can begiven a separate action which is triggered when requesters type a blacklisted item in an active SSH session.

Administrators can choose to have Password Safe perform the following actions when a match occurs:

l No Action: Select to be alerted only if a match occurs.l Block: Blocks the transmission of the command to the remote machine.l Lock: Locks the session for the requester.l Block and Lock: Performs both a block and lock as described above.l Terminate: Ends the remote session.

Note: Connection policies apply to SSH and SSH application sessions.

1. In the BeyondInsight console go to Configuration > Privileged Access Management Policies > Connection Profiles.2. In the Connection Profiles pane, click Create Connection

Profile.3. In the Create Connection Profile pane:

l Enter a name for the profile.l Under Email Notification Settings, enter an email address

and then click Add Recipient to send email notificationswhen a blacklisted item is triggered.

4. Click Save Changes.

5. Click Create Match Condtion.6. To add a blacklisted item, select one of the following from theMatch

dropdown: Keyword, Hostname, or IP Address.7. Enter the match criteria in the Value box.8. From the Session Control dropdown, select the action to take

when the blacklisted item is triggered.9. Click Create Condition. Each blacklisted item is displayed on a

separate line.10. Click Save Changes.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2


11. After you save the connection profile, it must be applied on theaccess policy schedule. Select the access policy, and then double-click the blue shaded area of the scheduling grid. Select theconnection profile from the menu.

Use a Predefined Connection Profile

The following predefined connection profiles are available for an access policy: Lateral Movement and Suspicious Activity.

The profiles are configured to match on keywords that might indicate suspicious behavior occurring on your network. If a match is detectedon any of the keyword values then the session is blocked.

You can add or delete keywords in the predefined connection profiles.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Create Password PoliciesPassword Safe ships with a default password policy used to generate newpasswords for auto managed accounts. You can change the settings for thedefault policy, such as password length and complexity, but you cannotdelete the default password policy. You can also create new passwordpolicies.

Note: Ensure the policies you create in Password Safe align withpassword complexity and restrictions in place on the managedsystem; otherwise, Password Safe might create a password thatdoes not comply with the rules in place on that managed system.

1. In the BeyondInsight console go to Configuration > PrivilegedAccess Management Policies > Password Policies.

2. Click Create Password Policy.3. Enter a Password Policy Name and Description.4. Set the following parameters for your policy:

l Minimum and Maximum Characters: Use the - and +buttons to incrementally lower or raise theMinimum lengthandMaximum length of passwords for the selected policy.You can also manually enter the numbers in the text fields.Valid entries are 4 - 255 characters.

l Select the First Character Value.l Uppercase Characters: Use the toggle button to permit or

deny the use of uppercase characters in passwords. Ifuppercase characters are permitted:

o Set theMinimum number of required uppercasecharacters using the - and + buttons or by enteringa number in the text field.

o Enter permissible characters in the Allow only thefollowing uppercase characters field.

l Lowercase Characters: Use the toggle button to permit or deny the use of lowercase characters in passwords. Iflowercase characters are permitted:

o Set theMinimum number of required lowercase characters using the - and + buttons or by entering a numberin the text field.

o Enter permissible characters in the Allow only the following lowercase characters field.

l Numeric Characters: Use the toggle button to permit or deny the use of numeric characters in passwords. If numericcharacters are permitted:

o Set theMinimum number of required numeric characters using the - and + buttons or by entering a number inthe text field.

o Enter permissible characters in the Allow only the following numeric characters field.

l Non-Alphanumeric Characters: Use the toggle button to permit or deny the use of non-alphanumeric characters inpasswords. If non-alphanumeric characters are permitted:


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

o Set theMinimum number of required non-alphanumeric characters using the - and + buttons or by entering anumber in the text field.

o Enter permissible characters in the Allow only the following non-alphanumeric characters field.

5. Click Create Password Policy when done.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Manage Recorded Sessions

View Recorded Sessions

The following users can view recorded sessions:

l Administratorsl Users with the Auditor rolel Users with the Recorded Session Reviewer rolel Users with the ISA role

1. From the left navigation, clickMenu, and then click Replay under Password Safe.2. Click All, RDP, or SSH to find the recording.3. Select a recorded session.4. A thumbnail is displayed with session details. ClickOpen.

5. Click Play to review the recording. You can hover over any part ofthe video progress bar to reveal the time stamp and click anywhereon the bar to select an instance in the recorded session.

6. CheckMark as Reviewed for easy tracking of reviewed sessions.7. Add comments as needed, and then click Save & Close. The

comments are displayed with the session thumbnail.

Use Keystroke Search

To find sessions containing keystrokes:

1. Check Search by keystrokes , and then enter a word or phrase inthe field provided.

2. Click Search. If the word or phrase was logged, the sessionscontaining those keystrokes are displayed.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Export a Session Frame

You can select a screen shot from a recorded session and export to a JPEG file. The file exports to a resolution of 1024 x 768. This featureis available only for recorded RDP and SSH sessions. Snap shots can be taken while the recording is paused or in play mode.

Click the Snapshot button.

The JPEG file is automatically saved to your default download locationspecified in your browser settings.

A notification is displayed when the export is complete.

Archive Recorded Sessions

You can archive recorded sessions. Archive settings are configured on theUVM appliance.

Note: Parameters can be configured to allow auto-archiving of any recorded sessions older than a specific number of days.

For more information, refer to the UVM Appliance User Guide at https://www.beyondtrust.com/docs/beyondinsight-password-safe/appliance/uvm-appliance/administration/index.htm.

View and Restore Archived Sessions

Once a session has been recorded, you can retrieve it from the Replay Sessions window.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://www.beyondtrust.com/docs/beyondinsight-password-safe/appliance/uvm-appliance/administration/index.htm



1. Open the session by clickingOpen. 2. Once the viewer opens, click Archive Session.3. Select the archived session.4. Click Restore Session to restore the session.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Manage Active Sessions

View Active Sessions

You can view a session in real time. Administrators, ISA users, or users that have been granted permissions to the asset through a SmartRule that has the Active Session Reviewer role, can view Active Sessions in real time.

1. Log in to the web portal.2. ClickMenu and then click Active Sessions.3. Select a session.4. Click the thumbnail to open the session in a larger window.

Lock an Active Session

1. Log in to the web portal.2. ClickMenu and then select Active Sessions.3. Select a session.4. Click the Lock button to lock the user session, preventing further

interaction with their session.

The message displayed to the user is different for RDP and SSHsessions. See the examples below.

RDP Message: Your session has been locked. Please contact youradministrator.

SSH Message: Your session has been locked, please contact yourAdministrator.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

5. Click the Unlock button to unlock the session.

Tip: Alternatively, a session can be locked and unlocked when viewing the session in the session player window, by clickingthe Lock and Unlock buttons.

Terminate an Active Session

1. Log in to the web portal.2. ClickMenu and then select Active Sessions.3. Select a session.4. Click the Terminate button to immediately end a session.

Tip: Alternatively, a session can be terminated when viewing the session in the session player window, by clicking theTerminate button.

Note:When terminating a session, it will automatically close and be removed from the Active Sessions table. The sessionwill then be available to view in Replay Sessions.

Terminate and Cancel an Active Session

1. Log in to the web portal.2. ClickMenu and then select Active Sessions.3. Click the Terminate and Cancel button to immediately end a session and check in the request.

Alternatively, a session can be terminated and canceled when viewing the session in the session player window, by clicking theTerminate and Cancel button. The Terminate and Cancel button is only present for sessions initiated by regular users. It is not avaialblefor sessions initiated by administrators or ISA users. It is also not available in Admin Sessions.

View Keystrokes in Active Sessions

Keystrokes are logged and viewable during active sessions as they are executed. Administrators can sort these keystrokes as theypopulate by selecting theOldest to Newest or Newest to Oldest sorting options within the Keystrokemenu.

Note: Logged keystrokes cannot be selected during active sessions.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Add Windows Components to Password SafePassword Safe can manage Active Directory and LDAP directories and directory accounts, Windows service accounts, scheduled taskaccounts, and IIS application pool accounts.

Add a Directory

1. From the left menu, selectManaged Systems.2. Click Create New Managed System.3. From the Type list, select Directory.4. From the Platform list, select Active Directory or LDAP.5. Configure the settings for the directory, and then click Create Managed System.

For more information on adding managed systems manually, please see "Add a Managed SystemManually" on page 11

Add Directory Accounts

You can add directory accounts manually or by creating an Active Directory account with a Smart Group.

Add Directory Accounts Manually

1. On theManaged Systems page, select the managed system for the directory, and then click the vertical ellipsis button for themanaged system.

Tip: Filter the list of managed systems in the grid by selecting Directory Managed Systems from Smart Group filter toquickly find your managed system.

2. Select Create Managed Account.3. Configure the managed account settings as necessary, and then click Create Account.

Tip:When configuring the managed account settings for an Active Directory account, you can choose a domain controller tochange or test a password. The domain controller on the managed account overrides a domain controller on the functionalaccount selected.

For more information on adding managed accounts manually, please see "Add a Managed SystemManually" on page 11

Discover Active Directory Accounts with an Active Directory Query

1. From the left menu, click Smart Rules.2. From the Smart Rule type filter list, selectManaged Account.3. Click Create Smart Rule.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

4. SelectManaged Accounts from the Category list.5. Provide a name and description for the Smart Rule.6. Set the following Selection Criteria:

l Directory Query > Include accounts from DirectoryQuery.

l Select the query from the list to create the query in real time.l Ensure the Discover accounts for Password Safe

Management option is enabled.

7. Set the following Actions:

l Show Managed Account as Smart Group.l Manage Account Settings: Configure these settings as

necessary, ensuring to select the following options from theAccount Options dropdown:

o Change Password after Releaseo Check Passwordo Enable accounts for AD/LDAP queries

IMPORTANT!

By default, the Smart Rule auto manages the directory account passwords. If you do not want this, set Enable Automatic PasswordManagement to No; otherwise, ALL accounts in the query will have passwords changed.

8. Click Create Smart Rule.9. To view the Active Directory accounts, go theManaged Accounts page, and then select the newly created Smart Group from the

Smart Group filter list.

Link Active Directory Accounts to Managed System

You can link Active Directory accounts to managed systems on a specified domain.

1. From the left menu, clickManaged Systems.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. Select the managed system, and then click the vertical ellipsis button for themanaged system.


4. Under Advanced Details, select Linked Accounts.5. Filter the list by Not Linked.6. Select the accounts, and then click Link Accounts.

Create an Active Directory Functional Account

When creating an Active Directory managed account, the functional account requires a domain controller. Administrators can choose atargeted domain controller from the menu, or select Any Domain Controller, which allows Active Directory to choose.

Note: If a failure occurs when connecting to a target domain controller, Password Safe connects at the domain level.

Add Windows Service, Task Scheduler, and IIS Application Pool Accounts to Password SafeManagement

Password Safe allows you to manage the credentials that are used for services, scheduled tasks, and IIS application pools in Windows.Accounts that are used to run services, scheduled tasks, and IIS application pools can be added as managed accounts in Password Safe.When their passwords are changed by Password Safe, the credentials are updated in any services, scheduled tasks, and IIS applicationpools that are associated with the managed account, if these options are enabled under Account Settings on the managed account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

These options are also available when creating a managed account SmartRule by selectingManage Account Settings under Actions, and thenchecking the applicable Account Options.

Available Account Options are:

l Change Password for Windows Servicel Change Password for Windows Taskl Change Password for Windows IIS Application Pool

Manage Windows Service Accounts

When a service is under Password Safe management, the following occurs when the managed account password changes:

l A service that is running restarts when the password is changed.l A service that is stopped is not restarted when the password is changed.l Dependent services may or may not restart based on the state of the primary service.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Before adding a service account to Password Safe management, be sure to:

l Start the remote registry service on the target.l Start the UPnP (Universal Plug and Play) Device Host service on the target.l Start the SDPP (Service Directory Placement Protocol) Discovery service on the target.l Verify machines are in the domain, if applicable.l Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the

domain.

Complete the following procedures to prepare and add a service account to Password Safe management.

Prepare the Service

1. On the asset where the service reside, open the Windows Services snap-in and stop the service if running.2. Right-click the service, and then select Properties.3. Select the Log on tab and enter the local or active directory account and current credentials. If required, retrieve a password using

the Password Safe administrator credentials.4. Restart the service to verify it starts successfully.

Run a Scan on the Service Assets

1. In the BeyondInsight console, click Scan to run a Detailed Discovery Scan against the target systems to add the systems asassets in BeyondInsight. The detailed scan collects data of the services for the targets.

2. Add the discovered assets to Password Safe management.3. Verify the following:

l From the Assets page:

o Select the asset, and then click the vertical ellipsis button for the asset.o SelectGo to advanced details.o Under Scan Data, click Services.o Confirm the services have been collected, their Status is Running, and the Log On As account name is correct.

l From theManaged Systems page:

o Select the managed system, and then click the vertical ellipsis button for the system.o Select Edit Managed System.o Verify that NetBIOS Name is entered. It must be a fully qualified domain name (FQDN) if a domain account is

used.

4. From theManaged Accounts page:

l Select the managed account associated with the service, and then click the vertical ellipsis button for the managedaccount.

l Select Edit Account.l Scroll down and expand Account Settings.l Ensure the Change Services and Restart Services options are enabled.l Click Update Account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2


l Select the managed account associated with the service, and then click the vertical ellipsis button for the managedaccount.

l Select Test Password. A slide-out status message with the results of the change attempt is displayed at the bottom of thepage.

l Click the vertical ellipsis button for the managed account again.l Select Change Password. A slide-out status message with the results of the change attempt is displayed at the bottom of

the page.

6. Restart the service to verify the password change. The password change is successful if the service restarts. Otherwise, thepassword change is not successful. Go through all the steps in this chapter to troubleshoot.

Manage Windows Scheduled Task Accounts

When a scheduled task is under Password Safe management, the following occurs when the managed account password changes:

l A scheduled task that is running stops when the password is changed.l A scheduled task that is stopped will run again at its next scheduled interval time.

Before adding a scheduled task account to Password Safe management, be sure to:

l Start the Task Scheduler service on the target.l Start the UPnP (Universal Plug and Play) Device Host service on the target.l Start the SDPP (Service Directory Placement Protocol) Discovery service on the target.l Verify machines are in the domain, if applicable.l Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the

domain.

Complete the following procedures to prepare and add scheduled task accounts to Password Safe management.

Prepare the Scheduled Tasks

1. On the asset where the scheduled task resides, open the Task Scheduler snap-in and end the task if running.2. Right-click the scheduled task, and then select Properties.3. On theGeneral tab, click Change User, and enter the local or active directory account and current credentials. If required, retrieve

a password using the Password Safe administrator login.4. Run the task to verify it runs successfully.

Run a Scan on the Scheduled Tasks Assets

1. In the BeyondInsight console, click Scan to run a Detailed Discovery Scan against the target systems to add the systems asassets in BeyondInsight. The detailed scan will collect data for the scheduled tasks for the targets.

2. Add the discovered assets to Password Safe management.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

3. Verify the following:


o Select the asset, and then click the vertical ellipsis button for the asset.o SelectGo to advanced details.o Under Scan Data, click Scheduled Tasks.o Confirm the scheduled tasks were collected.o Click the i button for each scheduled each task and verify the Run As account name is correct.



used.


l Select the managed account associated with the scheduled task, and then click the vertical ellipsis button for the managedaccount.

l Select Edit Account.l Scroll down and expand Account Settings.l Ensure the Change Tasks option is enabled.l Click Update Account.


l Select the managed account associated with the scheduled task, and then click the vertical ellipsis button for the managedaccount.



the page.

6. Run the scheduled task to verify the password change. The password change is successful if the scheduled task starts.Otherwise, the password change is not successful. Go through all the steps in this chapter to troubleshoot.

Manage Windows IIS Application Pool Accounts

When an IIS application pool account is under Password Safe management, the following occurs when the managed account passwordchanges:

l A IIS application pool that is running restarts when the password is changed.l A IIS application pool that is stopped is not started when the password is changed.

Before adding an IIS application pool account to Password Safe management, be sure to:

l Start the IIS Admin Service on the target.l Start the UPnP (Universal Plug and Play) Device Host service on the target.l Start the SDPP (Service Directory Placement Protocol) Discovery service on the target.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Verify machines are in the domain, if applicable.l Verify assets are managed with a local administrator account if not in the domain, or with a domain administrator account if in the

domain.

Complete the following procedures to prepare and add IIS application pool accounts to Password Safe management.

Run a Scan on the IIS Application Pool Assets

1. In the BeyondInsight console, click Scan to run a Detailed Discovery Scan against the target systems to add the systems asassets in BeyondInsight. The detailed scan collects data for the IIS application pools for the targets.

2. Add the discovered assets to Password Safe management.3. Verify the following:


o Select the asset, and then click the vertical ellipsis button for the asset.o SelectGo to advanced details.o Under Scan Data, click Application Pools.o Confirm the IIS application pools have been collected, and that their Identity account name is correct.



used.


l Select the managed account associated with the IIS application pool, and then click the vertical ellipsis button for themanaged account.

l Select Edit Account.l Scroll down and expand Account Settings.l Ensure the Change IIS Application Pool option is enabled.l Click Update Account.


l Select the managed account associated with the IIS application pool, and then click the vertical ellipsis button for themanaged account.



the page.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure Password Safe Global Settings

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Global Settings.2. Set the options in each of the sections below. Click the Update button for each section to apply changes made in that section.

Sessions

Setting Description / ActionConnecting to systems using Allows you to choose how you want to connect to systems. Select DNS Name or IP Address, or All if

you want multiple connection options to be available.

RDP session default port Allows you to change the default port for all RDP sessions.

Token timeout for remotesession playback

Allows you to change the default timeout. The default is 30 seconds. The range is 10 - 60 seconds.

Session initialization timeout Allows you the change the default session token value. The default is 30 seconds. The range is 5 -600 seconds. Applies to SSH, RDP, and application sessions.

Default RDP screenresolution

Allows you to change the default screen resolution. Range is 640x480 - 1920x2058 pixels.

Enable smart sizing Enable to resize the RDP window to match the size of the user's screen.

Allow users to select aremote proxy

Enable if you want users to be able to select specific BeyondInsight instances when making requests.

Make smart card deviceavailable in remote desktopsessions

When enabled, the user must log in to the session using smart card credentials when configured forthe system. This setting applies to all RDP sessions and is turned off by default.

This is an advanced feature. Please contact BeyondTrust Technical Support for assistance with usingthis feature.

Hide record checkbox for ISAsessions

Enable if you do not want the Record Session check box to be available on requests.

For more information, please see "Configure Session Monitoring" on page 106.

Requests

Setting Description / ActionRequire a ticket system andticket number for requests

Enable to have mandatory completion of the Ticket System and Ticket Number fields on allrequests.

Display who has approvedsessions

Enable this option on all requests.

Reason is required for newrequests

Enable this option on all requests.

Auto-select access policy forOneClick

Enable to automatically select the best access policy. When this option is selected, the access policywith the most available actions, or multiple access policies will be selected if each one has a differentaction. When this option is not selected, all the available access policy schedules will display inOneClick.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Bypass SSH Landing Pagefor OneClick

Enable to save time for users when connecting usingOneClick.

Bypass SSH Landing Pagefor regular or ISA requests

Enable to bypass the SSH landing page when running an SSH Session or SSH Application Session,and instead directly open PuTTY. This setting applies only to regular requests, ISA requests, andadmin sessions. It does not apply to sessions initiated usingOneClick.

For more information, please see "Add Ticket Systems to the List on the Requests Page" on page 123.

Session Monitoring

For information on Session Monitoring options, please see "Configure Session Monitoring" on page 106.

Purging

Setting Description / ActionMinimum retention for oldpassword

Set the number of days to retain old passwords. The default is 30 days. The range is 1 - 360 days.

Number of old passwords toretain

Set the number of past passwords to retain. The default is 5 passwords. The range is 1 - 30passwords.

Note: Password Safe will retain, at minimum, a number of passwords equal to the total ofthe current password (1) plus the value for Past Passwords. Password Safe will deleteall passwords that are older than the number of days equal to the value ofMinimumRetention Days.

Retention period for sent maillog

Set the number of days to store log entries for sent email. The default is 30 days. The range is 1 - 365days.

Retention period for adminlog

Set the number of days to store the administrator activity logs. The default is 90 days. The range is 30- 365 days.

Retention period forpassword change log

Set the number of days to store password change logs. The default is 90 days. The range is 30 - 365days.

Retention period forpassword test results

Set the number of days to store success and failure results for automated password tests. The defaultis 30 days. The range is 10 - 90 days.

Retention period for systemevent log

Set the number of days to store system event logs. The default is 365 days. The range is 5 - 1095days.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Miscellaneous

Setting Description / ActionUnlock accounts onpassword change

Enable for locked accounts to automatically unlock when their password has changed.

Note: This only applies to BeyondInsight local user accounts.

Enable Rebex debug logging Enable Rebex debug logging to troubleshoot custom platform issues.

Jumphost connect format Select Hostname or IP Address.

Changes made toGlobal Settings can be seen on the User Audits page:

1. Go to Configuration > General > User Audits.2. Changes that were made to Password SafeGlobal Settings are indicated as PMM Global Settings in the Section column. Click

the i button for the audit item to view more details about the action taken.

Network traffic can create delays in establishing the connection. Increase the token timeout if you are experiencing networktimeouts. For more information on multi-node session playback, please see "Configure Recorded Sessions in a Multi-NodeEnvironment" on page 109.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Add Databases to Password SafeThere are two ways to discover and manage database instances:

l Auto Discover using a scan template, and then auto-manage using a smart group. Use this method for SQL Server and Oracle.l Manually add and manage databases. Use this method for MongoDB, MySQL, Sybase ASE, and Teradata.

Auto Discover and Manage Database Instances

The following scan templates include database instance data in the scan results:

l All Audit Scanl Asset Report Scan

After you run a scan, the assets are displayed on the Assets page. At this point, you can create a Smart Rule to manage the databaseinstances.

1. Select Configuration > General > Smart Rules.2. Click Create Smart Rule.3. Select or create a new category and provide a name and

description for the smart group.4. For selection criteria, select Address Group, and then select the

group that includes the database instances.5. Add another condition, select Host Database Instance, and then

select the database types.6. For the actions, select Show asset as Smart Group.7. Add more actions ofManage Assets using Password Safe, and

then select the platforms, account name formats, functionalaccounts, and other desired settings, ensuring to use the defaultport numbers for the databases:

l Oracle: 1521l SQL Server: 1433

8. Click Create Smart Rule.

Manually Add Database Instances

You can manually add the following database instance types. When selecting the database platform, ensure the correct port number isdisplayed.

l Mongo: 27017l SQL Server: 1433l MySQL: 3306l Oracle: 1521l PostgreSQL: 5432


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Sybase ASE: 5000l Teradata: 1025

Manually Add Databases to Assets Managed by Password Safe

1. From the menu, select Assets.2. Select the desired asset, and then click theMore Option button, and selectGo to advanced details.3. UnderGeneral Data, select Databases.4. Click Add Databases.

5. Provide a name, select the platform, add a version, leave the defaultport, and then click Save Database.

Manually Add Databases to Password Safe Management

1. From the menu, select Assets.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. Assets that host database instances are indicated by a Database Host icon in the Solutioncolumn.

3. Select the desired asset, and then click theMore Option button, then selectGo to advanced details.4. UnderGeneral Data, select Databases.5. For the desired instance, click theMore Options icon, and then

select Add to Password Safe.

6. Select the functional account and other desired settings, and then click Create Managed System.

Manage Database Instance Accounts

Once the database instances are managed, create a managed accounts Smart Rule to manage the database instance accounts. Thesteps are the same for both auto discovered or manually added database instances.

1. Create a managed account based Smart Rule, and select thecriteria that will match on the database instance account name.

2. Select Yes from the Discover accounts for Password SafeManagement list.

3. From the Discover accounts from list, select the address groupwhere the database instance resides.

Note: If you have named functional accounts (which are not defaults), you should remove them frommanagement by usingmanaged account field filters, as shown in the screen shot.

4. In the Actions section, select Show managed account as a Smart Group from the list.5. SelectManage Account Settings from the list.6. Select a password rule, and either Auto-Manage the Accounts or not.7. Click Create Smart Rule.

Note:When using MYSQL with multiple accounts with the same name, Password Safe can only support rotating thepassword on all instances of the username using a functional account.

Create a Functional Account for a SQL Server Database

When you are adding SQL Server as a managed system, you must first create a security login in SQL Server that you will use for thefunctional account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Permissions and Roles in SQL Server

The following roles and permissions are required for the functional account:

l Server roles – publicl ALTER ANY LOGINl CONNECT SQL

Apply permissions to a functional account:

The following code samples show you how to apply the required permissions to the functional account.

GRANT CONNECT SQL TO [FunctionalAccountName];

GRANT ALTER ANY LOGIN TO [FunctionalAccountName];

Create the Account in SQL Server

1. Connect to a database as the SQL Server sa on the asset you have managed.2. Expand Security and then expand Logins.3. Right-click Logins and then select New login.4. Enter a Login name and then select SQL Server Authorization.5. Enter and confirm a password.6. Configure the user as desired and then clickOK.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

7. To configure the user, right-click the user and then select Properties.8. Select Server Roles and ensure the public roles is selected.

9. Select Securables and then click Search.10. Select the server instance and then clickOK.11. From the list of permissions, ensure the Alter any login and

Connect SQL are selected forGrantor sa.12. ClickOK.

SQL Server Instance Port Retrieval

To configure a SQL Server database for Password Safe, you need to retrieve the port number on the managed database instance using aquery. The below query is required for database instances only. You do not need to provide a port number for the default instance.

1. Create an instance on SQL Server.2. Once the instance is running, open the database and then select New Query.3. Execute the following query as shown on separate lines:

GOxp_readerrorlog 0, 1, N'Server is listening on'GO

4. Within BeyondInsight on the Assets page, find the asset where the SQL Server database is installed.5. Within the asset's menu actions, selectGo to advance details.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

6. Select the Database tab.7. Click Add Database. Leave the default port or manually add the

correct database port.8. Click Save Database.

9. In the Database grid, select the newly created database fromabove.

10. From the Database menu actions, select Add to Password Safe.11. Fill out the details required for the managed system.12. Create the Create Managed System button.

Add a PostgreSQL Database Instance

A PostgreSQL database instance must be added manually.

Before adding the instance to Password Safe management, you must create an account in PostgreSQL that will be used as the functionalaccount in Password Safe.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Create Accounts in PostgreSQL

Note: The following instructions are for guidance only. For details on how to create an account, refer to the PostgreSQLdocumentation.

To create the account with appropriate level permissions:

1. Run pgadmin from the icon on the tray.2. Right-click Login/Group roles, and then select Create.3. Enter a name. This will be the functional account.4. On the Privileges tab, ensure the following permissions are in place for the functional account: Login, Create role, and Inherit

rights from parent roles.5. Right-click Login/Group roles, and then select Create.6. Enter a name. This will be the managed account.7. On the Privileges tab, ensure the following permissions are in place for the managed account: Login, and Inherit rights from

parent roles.

You also need to know the database instance name and the port number. In pgadmin, clickObject , select Properties, and then selectthe Connection tab.

Add the PostgreSQL Instance to Password Safe

1. Scan the asset where the PostgreSQL instance resides.2. Go to the Assets page.3. Select the desired asset, and then click theMore Option button, then selectGo to advanced details.4. UnderGeneral Data, select Databases.5. For the desired instance, click theMore Options icon, and then select Add to Password Safe.6. Set the following:

l Instance Name: Enter the instance name.l Platform: Select PostgreSQL.l Version: Enter the PostgreSQL version number. This is optional.l Port: Default port value is 5432.

7. Click Create Managed System.

Configure Settings on the Oracle Platform

When adding Oracle as a managed system, follow these steps:

l Add the functional account to the console.l Add the functional account to the Oracle User list in Oracle.l Set the IP address for the host in Oracle Net Manager.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Add the Functional Account

1. Select Configuration.2. Under Privileged Access Management, click Functional Accounts..3. Click Create Functional Account.4. Select Database from the Type dropdown list.5. SelectOracle from the Platform list.6. Select SYSDBA from the Privilege list, and then enter the username and password. The SYSDBA role is required if you use the

SYS Oracle account as the functional account.7. Continue to set the remaining options.

Note:When adding the Oracle platform as a managed system, be sure to select the SYSDBA functional account.

For more information, please see "Create a Functional Account" on page 10.

Set Permissions for the Functional Account in Oracle

In Oracle Enterprise Manager, the functional account (other than SYS) must be added to the Oracle User list.

The user account must be assigned the following Privileges & Roles:

l ALTER USERl CONNECTl SELECT ON DBA_USERS (Required for autodiscovery of Oracle instance managed accounts.)


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Create the Functional Account in Oracle

To create a functional account in Oracle:

CREATE USER [FunctionalAccountName] IDENTIFIED BY password;GRANT CONNECT TO [FunctionalAccountName];

To grant permission to the functional account to change passwords on a managed account:

GRANT CONNECT TO [FunctionalAccountName];GRANT ALTER USER TO [FunctionalAccountName];GRANT SELECT ON DBA_USERS TO [FunctionalAccountName];


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure the Host

On the Oracle platform, you must configure the following settings:

l In Oracle Net Manager, the host name IP address must be explicitlyset as a listener.

l Also in Oracle Net Manager, set the service name as the host nameIP address.

Use Encrypted Connections

Password Safe supports Oracle database connections that are configured to use encryption. Using encryption is optional.

The following encryption protocols are supported:

l AES128l AES192l AES256l RC4_128, RC4_256, 3DES112l 3DES168


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure encryption using Oracle Net Manager.

Note: The following section is provided for guidance only. For more information, refer to Oracle product documentation.

On the Profile node, select Network Security and then set the following:

l On the Integrity tab, select:

o Server from the Integrity menuo required from the Checksum Level menuo SHA256 as the method

l On the Encryption tab, select:

o Server from the Encryption menuo required from the Encryption Type menuo AES256 as the method

Note: If you select required for Checksum Level and Encryption Type, you must enter an encryption seed in the sqlnet.orafile.

Oracle Internet Directories OID

OID Connect Descriptors (also known as TNS Connect Strings) define all parameters needed to connect to a specific Oracle databaseservice, such as the instance name, DNS name, IP address, and Port. You can leverage OID Connect Descriptors to add Oracle databasesystems to Password Safe.

When adding an Oracle database as a Managed System in Password Safe,select the appropriate database service and Password Safe will read theConnect Descriptor data when communicating with the Oracle database.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure an Oracle Internet Directory

To use this functionality, you need first to configure an OID.

1. Go to Configuration > Privileged Access Management > Oracle Internet Directories.2. Enter a name for the directory, a short description, and

information for the LDAP server.3. Check Use SSL if desired.4. If you turn off Use Anonymous, enter a name and password.5. Click Save Directory when done, or Discard, if you do not wish

to keep it.6. You can also click Test Server to test the connection.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Add Applications to Password SafeApplications can be managed by Password Safe. Requesters can then request access to the application and launch a session through thePassword Safe web portal.

Application sessions can be recorded.

The system where the application resides must already be added to Password Safe before you can add the application.

To add an application to Password Safe management, you must do the following:

l Set up the application details in Password Safe configuration.l Associate the application with a managed account.l Create an access policy that permits application access. Recording and keystroke logging can be turned on here.l Create a user group that includes the managed accounts. Assign the Requester role (or Requester/Approver role) that includes

selecting the access policy.

Add an Application

Follow the steps below to add an application.

1. Select Configuration > Privileged Access Management > Applications.2. Click Create Application.3. Enter a name for the application. It is recommended to use the name of the application for transparency.

The following are optional categorization fields:

l Versionl Publisherl Typel Parameters: The arguments to pass to the application. Default placeholders are as follows:

o managed account name =%uo managed account password =%po managed asset name =%ho managed asset IP =%io database port =%to database instance or asset name =%do jump host dns =%no database dns =%s

l Functional Account: Select a functional account from the menu. The functional account must already be created.l Managed System: The managed systemmust have the application (such aswordpad.exe) configured. When starting an

application session, an RDP session connects to this application server and starts the application.l AutoIt Passthrough: Check this box to automatically pass the credentials for the application through an RDP virtual

channel. Using AutoIt Passthrough provides a secure way to access applications through a remote session. The userrequesting the session is not required to enter the application credentials.

l Launch Application in RemoteApp mode: If enabled, this initiates a remote app session instead of a full desktopsession. This limits use to the specified app and the user is presented with an application window. This setting is definedper application.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

The following fields are required:

l Alias: Combines the name and version entered by default, but can also be edited to display any desired alias.l Application/Command: The path to the application. For example, C:\Program Files\Windows

NT\Accessories\wordpad.exe.

Note: If Functional Account is set, thenManaged System is required.

4. Administrators can associate the application with a linked Windows system or a linked Linux or Unix system. By default, the boxesare not checked; this is the most restrictive state. A standard user in Password Safe sees one row with an application to the samefunctional account and managed system.

l Associate the Application with a linked Windows system: Standard users see all Windows-based systems applied tothe Domain Linked Account when they log in to Password Safe. This excludes Linux and Unix systems.

l Associate the Application with a linked Linux/Unix system: Standard users see all Linux and Unix-based systemsapplied with the Domain Linked Account. This excludes Windows systems.

l If both options are enabled, all systems associated to the Domain Linked Account are shown.

Note:When configuring access to a Linux system, sudo can be used to configure authentication. The administrator caninclude a functional account, but this is not required.

5. Select Active to make the application available for remote sessions.6. Click Create Application.

There are prerequisites that must be met before you can use AutoIt Passthrough. For more information, please see "UseAutoIt Passthrough" on page 84.

Use Encryption Module for RemoteApp

The Encrypted Module for RemoteApp is an application which is automatically enabled to hide sensitive information from the terminalservice logs.

To use this encryption, the managed systemmust be configured with a functional account which is also an administrator on the server theuser is connecting to.

Associate the Application with a Managed Account

Now that the application is configured, the application must be associated with a managed account.

1. In the console, clickManaged Accounts.2. On theManaged Accounts page, select the managed account, and then click theMore Options icon, and select Edit Account.3. In the Edit Managed Account pane, scroll down to Applications and click + to expand the Applications section.4. From the dropdown list, select the applications and then click Update Account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

You can select the application by editing the managed account. For more information about managed accounts settings,please see "Add a Managed SystemManually" on page 11.

Set Up the Access Policy

You can create an access policy or use an existing policy. The access policy is part of the Requester role setup, described in the nextsection.

Note: The Application Access Policy applies to all applications.

1. Select Configuration > Privileged Access Management Policies > Access Policies.2. Create a new access policy and schedule or edit an existing access

policy and schedule and enable the Application policy type for theschedule, and save the access policy.

For more information on creating and editing access policies andschedules, please see "Configure Password Safe AccessPolicies" on page 45.

Set Up Role-Based Access

Users who need to access an application must be managed accounts that are members of a group.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Note: Access to applications is also available to admins and ISA users, without the need to configure an access policy.

The Requester role and application access are assigned as part of creating the user group.

Use AutoIt Passthrough

The following prerequisites must be in place before you can use the AutoIt Passthrough feature:

l The application must be launched through an AutoIt script.l The wrapper AutoIt script must call thePassword Safe Passthrough library through pbpspassthru.dll (provided as part of the

Password Safe Resource Kit).

For information about turning on the feature, please see "Add an Application" on page 81.

AutoIt Script Details

The AutoIt example script uses the following functions:

l pbpspassthru.dlll pbps_get_credentialsl DLLCall: An AutoIt function. The first argument takes in the location of the dll to call. In the example, the pbpspassthru.dll is

located in the same directory as the AutoIt script.

Example:

Func get_credentials($token)Local $aResult = DLLCall("pbpspassthru.dll", "str:cdecl", "pbps_get_

credentials", "str", $token, "bool", 0)Local $credentials = StringSplit($aResult[0], " ")return $credentials

Endfunc

pbps_get_credentials Function

char* pbps_get_credentials(char* token, bool respond_with_json)

Parameters

char* token: A one-time use token provided by Password Safe as the last command line argument passed to the AutoIt script.

bool respond_with_json: A flag to toggle the format of credentials. When this value is True, the credentials are in JSON format.Otherwise, they are in a white-space delimited list.

Return Value

The token is sent to Password Safe to be validated.

l If the token is valid for the current session and has not been used, the return value is a string with credentials in the desired format.l If the token is invalid or has been used, the return value is NULL.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Tokens are validated and credentials are sent over an encrypted RDP virtual channel not visible to the end user.

Add SAP as a Managed System

You can add your SAP environment to Password Safe management.

Password Safe supports SAP NetWeaver.

Requirements

l Instance Number:When adding the system to Password Safe you need to know the SAP instance number.l Client ID: An ID that is unique to that SAP instance.

Note: The instance number and client ID are provided in an email when you purchase SAP.

l SAP permissions: The Password Safe functional account requires RFC privileges.

SAP RFC privileges are needed for password changes. RFC permissions assigned to the functional account permit the passwordchange. However, the password cannot be tested.

If an account has RFC privileges, that account can change their password and others. It can also test its own password.

l The username and password in Password Safe must be the same as in SAP.

Set Up the Functional Account

The functional account requires the Client ID. All other settings are the typical functional account settings.

Please see "Create a Functional Account" on page 10.

Add SAP

You must add SAP manually. You cannot add SAP using a Smart Rule.

1. In the console, click Assets.2. Select the asset where the SAP instance resides, and then select Add toPassword Safe.3. Select SAP from the Platform list.4. Enter the instance number.5. All other settings are the typical managed system settings.

Please see "Add a Managed SystemManually" on page 11.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure API RegistrationBeyondInsight provides a way to integrate part of the BeyondInsight and Password Safe functionality into your applications, using an APIkey. The API Registrations page is only available to Password Safe administrators.

To create an API Registration:

1. In the BeyondInsight console, go to Configuration > General > API Registrations.2. Click Create API New API Registration.3. Enter a name for the new registration and then click Create API Regisration.

BeyondInsight will generate a unique identifier (API key) that the calling application provides in the Authorization header of theweb request. The API key is masked and can be shown in plain text by clicking the Show Key icon next to the Key field. The APIkey can also be manually rotated, or changed, by clicking the circular arrow.

Note: Once the key has been changed, any script using the old key will receive a "401 Unauthorized" error until the new key isused in its place. Read access and rotation of the key is audited.

4. To configure the new registration or modify an existing one, select the registration and then set the Authentication Rule Optionsin the registration's Details pane.

l Enforce multi-factor authentication: This setting is enabled by default. When enabled, requires users to abide by multi-factor authentication settings configured for Password Safe. Disabling this setting will bypass multi-factor authenticationwhen accessing user accounts through API. This allows applications integrated with Password Safe using an API key toabide by multi-factor authentication settings configured for the application, as opposed to using the Password Safesettings.

l Client Certificate Required:When enabled, a client certificate is required with the web request, and if not enabled, clientcertificates are ignored and do not need to be present. A valid client certificate is any client certificate that is signed by aCertificate Authority trusted by the server on which BeyondInsight resides.

l User Password Required:When enabled, an additional Authorization header value containing the RunAs userpassword is required with the web request. If not enabled, this header value does not need to be present and is ignored ifprovided.

Square brackets surround the password in the header. For example, the Authorization header might look like:

Authorization=PS-Auth key=c479a66f…c9484d; runas=doe-main\johndoe; pwd=[un1qu3];

l Verify PSRUN Signature: The PSRUN signature is an extra level of authentication. It’s computed from the factors using ashared secret between the client and server. PSRUN sends the signature as part of the header during its API request. Ifenabled, the server recomputes the signature during factor validation and compares it against the one sent by the client. Ifthe signatures match, the client’s identity is considered verified. The signature effectively keeps the client in sync with theserver. Changing the secret on the server requires the client to be rebuilt and guarantees that out-of-date clients cannotauthenticate.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

5. From the registration's Details pane, click Add AuthenticationRule. At least one IP rule or PSRUN rule is required, providing avalid source IP address (IPv4 or IPv6), an IP range, or CIDR fromwhich requests can be sent for this API key (one IP address, IPrange, or CIDR per line).

X-Forwarded-For rules can also be created, providing a valid sourceIP address (IPv4 or IPv6), an IP range, or CIDR from which requestscan be sent for this API key. In a load-balanced scenario, IPauthentication rules are used to validate the load balancer IPs, andthe X-Forwarded-For header is used to validate the originatingclient IP. Existing rules cannot be changed from an IP rule to a X-Forwarded-For rule, or vice-versa.

If an X-Forwarded-For rule is configured, it is required on the HTTPrequest (only a single header is allowed on the request). If the X-Forwarded-For header is missing, the request will fail with a 401Unauthorized error.

6. In the Create New Authentication Rule pane, click Create Rule.7. In the Details pane, click Save Changes.


l For more detailed information on API Registrations using the Auth/SignAppIn API function, the BeyondInsight andPassword Safe API Guide at https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/api/authentication.htm

l For information on how to grant API access to BeyondInsight users, "Configure Role Based Access" on page 35


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/api/authentication.htm




Add a Custom Platform or Application PlatformOn the Custom Platforms page, you can add SSH and Telnet platforms, as well as SSH application platforms, tailored to yourenvironment. Password Safe contains several built-in SSH and Telnet platforms designed for the most common configurations, such asLinux, Solaris, and Cisco. You can modify the details of built-in custom platforms to meet the needs of your environment. You can createnew custom platforms for advanced configurations that are not supported by the built-in platforms, or for a platform that is currently notsupported by Password Safe. You can also create new custom platforms by cloning a built-in or user-created custom platform.

All custom platforms work in the same way: by connecting to a remote SSH or Telnet server and waiting for a response. Once a responseis received, a regular expression is evaluated against the response and the platform replies with a command that starts the process ofchanging a password on the relevant system.

Create a New Platform

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Custom Platforms.2. In the Custom Platforms pane, click Create New Custom

Platform, and then select Create New Platform.

Alternatively, click the Actions (vertical ellipsis) button for aplatform in the list, and then select Clone to clone an existingplatform and modify its settings as desired.

3. Configure the settings on theOptions, Steps, and Check/Change Password tabs as detailed in the following sections.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure the Options Tab

l Platform Name: Enter a name for the custom platform. The givenname appears in the Platform lists throughout BeyondInsight andPassword Safe and must be unique. Platform names cannot bechanged after they have been created.

l Platform ID and Platform Type are assigned by the system andcannot be entered or edited.

l Active: Check this option to make the platform active inBeyondInsight and Password Safe.

l Enable Login Account: Check this option to display the UseLogin Account for SSH Sessions option under the Credentialssection in the settings for a managed system. Use this feature whenan account other than the functional account is used to log in to themanaged system.

l Enable Account Name Format: Check this option to display theAccount Name Format dropdown under the Credentials sectionin the settings for a managed system.

l Communications Protocol: Indicate if the custom platform usesTelnet or SSH.

l Port: Use the default port of 22 for SSH or 23 for Telnet. Optionally,enter a port to test the settings.

l Template Fields and Scripting:

o Prompt regex: Regular expression that evaluates to theshell prompt of the remote system; for example, ~ ]#.

o Config prompt regexand Elevated prompt regex: Thesetwo regular expressions are mainly meant for networkappliances that have multiple prompts, depending on amode.

o End of line: The end of line field specifies how the platformindicates to the SSH or Telnet server that it is sending acommand. The default is the carriage return character (\r).

o Exit Command: Leave the default command as exit, orspecify a new command for the platform to exit SSH orTelnet.

o Password command: Enter the command to change thepassword.

l Enable Account Elevation: Check this option, if you want to selectan Elevation Command.

l Elevation Command: Select an elevation command from the list toenable the option to elevate the functional account permissions on amanaged system. The following elevation command types aresupported:

o sudoo pbrun


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

o pmruno pbrun jumphost

l Enable Jump Host: If you use the elevation command pbrun jumphost, you can configure the Privilege Management for Unix &Linux policy server host name to connect to. Check this option to enable the jump host, and then enter the policy server host namedetails when configuring the Check Password options on the Check/Change Password tab.

l Enable Cisco Enable Password: Check this option to display the Change Enable Password option on the FunctionalAccount tab under Advanced Details for a Cisco managed system.

Configure the Steps Tab

From the Steps tab, define the responses that you expect from the server and the replies the platform sends. The options include twogroups: After Login and Error Handling.

1. On the Steps tab, select the Step Type from the list. The templatefor expect statements changes depending on which of the followingtypes is chosen:

l Change Password:Manually changes the password forthe custom platform.

l Check Password: Tests the password by attempting alogon.

l Replace Public Key: Runs a script to replace the publickey.

2. Use the default statement group to start the custom platform.Additional statements and statement groups can be created asrequired.

l To create a new statement, click Add New Statement + atthe bottom of an existing statement group.

l To delete a statement, click the X at the right end of the Expect statement line.l To create a new statement group, click Add New Statement Group + at the bottom of the last statement group.l To delete a statement group, click the X and the right end of the statement group name.l To edit the name of the statement group, hover the cursor over the group name, click in the field, and then enter the name.

3. Enter an Expect statement. There are two ways to populate the Expect field:

l Type text or a regular expression in the field.l Use a template field variable: Click in the field, enter <<, and then select a template from the list.

4. Enter a Response statement. There are two ways to populate the Response field:

l Type text or a regular expression in the field.l Use a template field variable. Click in the field, enter <<, and then select a template from the list.

5. The Response type can be changed by selecting an option from the Send Response dropdown list. If goto is selected you needto select a statement group from the resulting list.

6. Error Handling is enabled by default. Uncheck this option if error handling is not required. If error handling is required, ensure anerror message is entered in the Expect statement for Error handling.

7. The order of statement processing can be changed by clicking the Up or Down icons at the left of each Expect statement.

The following is an explanation of the functionality for each setting on the Steps tab, using a Linux platform as an example:


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Error Handling: The error handling check ensures that when the statement comes in, all of the statements in the error handlingsection are evaluated first, before Enter your reason for login. For example, when the platform connects to the remote SSHserver, the SSH server replies with:

Welcome to Linux Mint* Documentation: http://www.linuxmint.comLast login: Mon Apr 13 10:45:51 2015 from dev-machineEnter your reason for login:

The platform tries try to find a match, in the following order:

- BADCOMMAND- Usage:- BAD PASSWORD- Enter your reason for login:

If a match is found for Enter your reason login, the platform replies with changing password. The platform expects theSSH server to send back the shell prompt and the platformreplies with passwd <<manacctname>>.

When the platform communicates with the remote server, itreplaces the tags with data. In the image shown,<<manacctname>> is replaced by the managed accountassociated with the platform. These are template fieldvariables that are inserted into the Expect box andResponse box. If you have a prompt defined in the optionstab as ~]$, the platform converts the tag <<prompt>> tothis value when it evaluates the regular expressions.

l Expect Statement:We recommend that you include theprompt in the regex of the Expect field to ensure theplatform waits until all the data from the previous commandis read from the target system before proceding to the nextstatement.

The final Expect statement says expect all authenticationtokens updated successfully and the responsestatement is finish with success. When you create acustom platform, you must be able to detect when apassword has been successfully changed on the remoteserver. When you have detected this event, you must setthe Action dropdown to finish with success.

l Goto statements: The flow jumps to the group specified by the goto statement. Flow does not return to the original group. If agroup is to be used as a goto, it should be designed such that the intended task of the platform is completed there.

Configure the Check/Change Password Tab

Once you complete the fields on the Check/Change Password tab, Password Safe runs the credentials. Log in to the host using themanaged account name and follow through the configurations provided on the Steps tab.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. Select the Host from the dropdown.2. If you use the elevated credential pbrun jumphost, enter the IP

address for the PBUL policy server in the Jumphost field.

Note: Ensure the Enable Jump Host box is checked on theOptions tab. Otherwise, the Jumphost field is not displayed onthe Check/Change Password tab.

3. Use the default port for SSH or Telnet. Optionally, enter a port totest the settings.

4. Provide the details for the Functional Account Credentials.5. In the Elevation Command field, enter an elevated account such

as sudo or sudoer to elevate the functional account permissions.6. ProvideManaged Account Credentials and a new password.7. Click Change Password or Check Password, as applicable.8. When the test returns a successful connection, go to theOptions

tab, check the Active box, and then click Create Platform.

Create a New Application Platform

Custom application platforms leverage the custom platform functionality, with the added capability of providing an intermediary target(Application Host) for the custom platform using a script-based approach to managing accounts on application servers specific orcustomized to your environment.

Note: Custom application plafforms only support SSH; Telnet is not supported.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Prior to creating a new application platform, you must configure a managedsystem to be an application host by enabling the Allow Managed Systemto be an Application Host setting in its properties. The application host isthe managed system where the scripts for the application are executed.

Note: Once a managed system is configured as an applicationhost, other managed systems can be configured to use it, asindicated by the Associated Managed Systems indicator. Youcannot disable the Allow Managed System to be anApplication Host setting if other managed systems are currentlyconfigured to use this application host.

To create the new application platform follow the below steps:

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Custom Platforms.2. In the Custom Platforms pane, click Create New Custom

Platform, and then select Create New Application Platform.

3. Configure the settings on theOptions, Steps, and Check/Change Password tabs as detailed in the following sections.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure the Options Tab

l Platform Name: Enter a name for the custom platform. The givenname appears in the Platform lists throughout BeyondInsight andPassword Safe and must be unique. Platform names cannot bechanged after they have been created.

l Platform ID and Platform Type are assigned by the system andcannot be entered or edited.

l Active: Check this option to make the platform active inBeyondInsight and Password Safe.

l Enable Login Account: Check this option to display the UseLogin Account for SSH Sessions option under the Credentialssection in the settings for a managed system. Use this feature whenan account other than the functional account is used to log in to themanaged system.

l Enable Account Name Format: Check this option to display theAccount Name Format dropdown under the Credentials sectionin the settings for a managed system.

l Enable Account Elevation: Check this option if you want to selectan Elevation Command.

l Elevation Command: Select an elevation command from the list toenable the option to elevate the functional account permissions on amanaged system. The following elevation command types aresupported:

o sudoo pbruno pmruno pbrun jumphost

Configure the StepsTab

The Steps tab is configured in the same way as it is for all custom platforms. However, for application platforms there are 6 additionalfields available for Expect statements, as follows:

l Addressl App Host Functional Account Keypassl App Host Functional Account Keyl App Host Functional Account Namel App Host Functional Account Passwordl Port

For more information on configuring the Steps tab, please see "Create a New Application Platform" on page 92.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure the Check/Change Password Tab

The Check/Change Password tab is configured in the same way as it is forall custom platforms; however, you must also select an Application Host.

Once your custom application platform has been created, you canconfigure a managed system to use it by selecting it from the Platformdropdown. Also select the Application Host for this manged system. WhenPassword Safe rotates or checks a password for an account that exists onthis managed system, it connects to the application host and then runs thesteps as defined on the Steps tab for this custom application platforminstance.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

For more information on configuring the Check/Change Password tab, please see "Create a New Application Platform" onpage 92.

Export or Import a Custom Platform

Export a Custom Platform

Exporting a custom platform can assist you with troubleshooting.

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Custom Platforms.2. Click the Actions (vertical ellipsis) button for the platform you wish to export, and then select Export.3. Save the XML file.

Import a Custom Platform or Application Platform

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Custom Platforms.2. In the Custom Platforms pane, click Create New Custom Platform.3. Select Import Platform (XML).4. Locate and select the exported platform file. If the platform currently exists, it modifies the existing platform. If the platform does not

currently exist, a new custom platform is added.

Example of Linux Platform

In this short synopsis of the Linux platform, you can see how it works by expecting data and responding to the data based on theevaluation of regular expressions. It examines the output of each command to determine if an error occurred or if it can continue sendingreplies to the server.

1. Platform establishes a connection to the remote SSH server with the provided credentials.2. SSH server replies with:

Welcome to Linux Mint* Documentation: http://www.linuxmint.comLast login: Mon Apr 13 10:45:51 2015 from dev-machinedev@dev-machine ~ ]#

3. The platform evaluates a regular expression, looking for the shell prompt "~]#", and replies with the passwd command for thespecified managed account.

passwd managedaccount complexpassword

4. If the arguments passed to the passwd command are valid, the server replies with:

Enter new Unix Password:

5. The platform waits for the server’s response and evaluates a regular expression, looking for Enter new Unix Password.6. If the response is not Enter new Unix Password, the platform waits for other possible responses such as User does not exist.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

7. If the regular expression evaluates to true, the platform exits with an error.8. If the regular expression Enter new Unix Password evaluates to true, the platform replies with the new password.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure SSH and RDP ConnectionsIn the Password Safe web portal, requesters can request access to use SSH or RDP remote connections. To permit remote connections,you must configure an access policy.

The following section provides additional information on setting up SSH or RDP connections.

For more information, please see "Configure Password Safe Access Policies" on page 45.

Requirements for SSH

l You must install PuTTY to enable SSH functionality. Go towww.putty.org and download the software.l If you use aWindows 8 or Windows Server 2012 VMWare virtual machine, VMWare Tools installs itself as a URL Handler for SSH

and stops the sample registry script from working. You must remove the registry variable:

[HKEY_LOCAL_MACHINE\SOFTWARE\VMwareInc.\VMwareHostOpen\Capabilities\UrlAssociations]"ssh"="VMwareHostOpen.AssocUrl"

Supported SSH Client Algorithms

When Password Safe checks and changes passwords, it uses the below list of algorithms to connect and communicate.

Authentication Methods Password, Public key, Keyboard interactive

Encryption Algorithms AES, Triple DES, Blowfish, blowfish-ct, blowfish-cbc,

Encryption Modes CBC, CTR

Host Key Algorithms RSA, DSS, ecdsa-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, ssh-ed25519

Key Exchange Algorithms curve25519-sha256, ecdsa-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1

MAC Algorithms MD5, SHA-1, SHA-2, HMAC-MD5, HMAC-MD5-96, HMAC-SHA1-96

Symmetric Key Algorithms arcfour256, arcfour128, arcfour

The following algorithms are disabled by default:

diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1

blowfish-ctr blowfish-cbc 3des-cbc

arcfour256 arcfour128 arcfour

HMAC-MD5 HMAC-MD5-96 HMAC-SHA1-96

aes256-cbc aes192-cbc aes128-cbc


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Use the following registry keys to turn on the algorithms:

l HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshKeyExchangeAlgorithms (DWORD) = 1023(enables ALL key exchange)

l HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshEncryptionAlgorithms (DWORD) = 31 (sets allencryption algorithms)

l HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\MacAlgorithms (DWORD) = 15 (sets all MACalgorithms)

Note: These values are in decimal.

Weak RSA server host keys shorter than 1024 bits are now rejected by default. Use the following registry key to change this setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\eEye\RetinaCS\SshMinimumRsaKeySize (DWORD) = 1024 (size of keyand bits)

Host Key AlgorithmsBelow is a list of host key algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in default order ofpreference are:

l ecdsa-sha2-nistp256l ecdsa-sha2-nistp384l ecdsa-sha2-nistp521l ssh-ed25519l rsa-sha2-512l rsa-sha2-256l ssh-rsal ssh-dss (disabled by default)

Use the following registry key to change the available client host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\client_host_key_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available server host key algorithms:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\host_key_algorithms(REG_MULTI_SZ)

Kex AlgorithmsBelow is a list of key exchange algorithms enabled for use by Password Safe's SSH client and server. Supported algorithms in defaultorder of preference are:

l curve25519-sha256l ecdh-sha2-nistp256l ecdh-sha2-nistp384l ecdh-sha2-nistp521


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l diffie-hellman-group-exchange-sha256l diffie-hellman-group14-sha1l diffie-hellman-group-exchange-sha1 (disabled by default)l diffie-hellman-group1-sha1 (disabled by default)

Use the following registry key to change the available key exchange algorithms for the server side of Password Safe's SSH proxy(between the user's SSH client and the proxy):

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\kex_algorithms (REG_MULTI_SZ)

Use the following registry key to change the available key exchange algorithms for the client side of Password Safe's SSH proxy (betweenthe proxy and the managed systems):

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\client_kex_algorithms(REG_MULTI_SZ)

RSA Host Key SizeYou can configure the size (in bits) of the RSA private host key generated and used by Password Safe's SSH server.

Use the following registry key to change the host key size:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\rsa_host_key_size(REG_DWORD)

Valid values are: 2048 (default), 3072, and 4096.

Auto-Launch PuTTY Registry File

To launch the SSH Client automatically, the SSH protocol must be associated with an application. To register an application, such asPuTTY, which is used in the example below, change the references to PuTTY to point to the application.

Windows Registry Editor Version 5.00[HKEY_CLASSES_ROOT\ssh@="URL:Secure Shell Protocol""URL Protocol"=""[HKEY_CLASSES_ROOT\ssh\DefaultIcon]@="%%ProgramFiles%%\\PuTTY\\putty.exe"[HKEY_CLASSES_ROOT\ssh\shell][HKEY_CLASSES_ROOT\ssh\shell\open][HKEY_CLASSES_ROOT\ssh\shell\open\command]@="cmd /V:ON /s /c @echo off && set url=%1 && for /f \"tokens=1,2,3 delims=:/ \" %%a in(\"!url!\") do set protocol=%%a&set host=%%b&set port=%%c && start \"\" \"%%ProgramFiles(x86)%%\\PuTTY\\putty.exe\" -P !port! !host!"

Supported SSH Session Protocols

You can use the following protocols with an SSH session: X11, SCP, and SFTP. You also have options to allow local and remote portforwarding.

Use the Registry Editor to turn these settings on. These settings are all type DWORD with toggle values of either 0 ( no ) or 1 ( yes ).

l X11:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_x11 = 1


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

(DWORD)l SCP:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_scpl SFTP:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_sftpl Local Port Forwarding:Whether or not to allow local port forwarding requests from the user's SSH client through to the managed

system (default: 0 - no)HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_local_port_forwarding

l Remote Port Forwarding:Whether or not to allow remote port forwarding requests from the user's SSH client through to themanaged system (default: 0 - no).HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_remote_port_forwarding

Multiple SSH Sessions

To avoid a potential security risk, more than one SSH session is not permitted through one SSH connection.

You can turn on the following registry key to permit more than one session on a connection:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\ssh_proxy\allow_multiplex = 1

Enable Login Accounts for SSH Sessions

Creating a login account allows the user to open an SSH session in environments where remote shell access is not permitted, forinstance, the root account. A login account will be used to establish the initial shell connection and then switch the session to the managedaccount.

Note: The functional account used should be a low privilege user and not the same elevated functional account that haselevated privileges to change passwords.

This feature supports the following platforms: AIX, HPUX, Linux, and Solaris.

Enable Login Accounts ManuallyTo manually enable login accounts, you must enable the function on both the managed system and the managed account you want to usefor the SSH session.

1. From theManaged Systems page, create a new managed system, or select one from the grid.2. From the menu actions, select Edit Managed System.3. Within the Credentials section, toggle the User Login Account for SSH Sessions option to yes.4. Select your account from the Login Account dropdown.5. Click Update Managed System and dismiss the configuration slide-out.6. From theManaged Systemmenu, selectGo to advance details.7. Select theManaged Accounts tab.8. Select the managed account you wish to edit.9. Within the Credentials section, toggle the Login Account for SSH Sessions option to yes.10. Click Update Account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Enable Login Accounts with a Smart RuleFor organizations managing many assets and accounts, administrators can enable login accounts with a Smart Rule as follows:

1. Create a Smart Rule to manage the assets which will be used to access the SSH session.2. Select the actionManage Assets using Password Safe.3. Select the platform and the functional account.4. From the Enable Login Account for SSH Session list, select yes.5. Select a login account.6. Create a Smart Rule to manage the managed accounts which will allow users to log in for an SSH session.7. In the Actions section, selectManaged Account Settings.8. Scroll to Account Options and select Enable Login Account for SSH Sessions.

Use Direct Connect for SSH and RDP Session Requests

You can use Direct Connect for remote session requests for SSH and RDP sessions. Direct Connect requests access to a managedaccount on behalf of the requester. The requester accesses the system without ever viewing the managed account's credentials.

If the requester is not granted auto-approval for a session, the user receives a message stating Request requires approval. If the requestis not approved within 5 minutes this connection will close. After 5 minutes the client disconnects and the user can send anotherconnection request. When the request is approved, the user is automatically connected.

When there is an existing request for the system and account, the request is reused and the session created.

SSH Session RequestsUsing an SSH client, a user can use the Password Safe Request and Approval system for SSH remote connections. The requester'sinformation, including the Reason and the Request Duration, are auto-populated with default Password Safe settings.

To access a managed account using Direct Connect, the requester has to connect to Password Safe's SSH Proxy using a custom SSHconnection string with the following formats:

l For UPN credentials:

<Requester>+<Username@Domain>+<System Name>@<Password Safe>

l For down-level logon names\non-domain credentials:

<Requester>@<Domain\\Username>@<System Name>@<Password Safe>

You can override the default SSH port and enter port 4422. The requester will then be prompted to enter their password, which they use toauthenticate with Password Safe.

l For UPN credentials:

ssh -p 4422 <Requester>+<Username@Domain>+<System Name>@<Password Safe>


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l For down-level logon names\non-domain credentials:

ssh -p 4422 <Requester>@<Domain\\Username>@<System Name>@<Password Safe>

Once the requester is authenticated, they will be immediately connected to the desired machine.

RDP Session Requests

Note: RDP Direct Connect supports push two-factor authentication. An access-challenge response is not supported.LDAP users that use the mail account naming attribute cannot use RDP Direct Connect.

To request an RDP session using Direct Connect:

1. Click the arrow to download the RDP Direct Connect file fromPassword Safe.

This is a one-time download. Each account and systemcombination requires that the user download the unique RDP fileassociated with it.

2. Run the file to establish a connection to the targeted system.3. The requester is then prompted to enter the password they use to authenticate with Password Safe.

Direct Connect DelimitersYou can customize the character delimiters accepted in a Direct Connect connection string (in addition to + and@) by setting the followingregistry key:

HKLM\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\direct_connect\delimiters (REG_SZ)

Additionally, you can enable support for a dynamic delimiter. When this is enabled, any connection string that starts and ends with thesame non-alphanumeric character will be split on that character.

For example: ssh -p 4422 /requestor/maccount/msystem/@bihost

In this case, '/' will be used as the delimiter.

To enable dynamic delimiters (default is off), set the following registry key:

HKLM\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\direct_connect\dynamic_delimiter = 1 (REG_DWORD)

Use Two-Factor Authentication TokenRDP and SSH Direct Connect sessions support using a two-factor authentication token.

l RDP session: A delimiter (,) must be entered after you enter the password. For example: password, token

The delimiter can be changed using the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\2fa_delimiter

The delimiter must be excluded from user login passwords.

l SSH session: You are prompted to enter a token after you enter the password.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure RDP Sessions

Certificate AuthenticationTo ensure secure communications, an RDP session uses the same certificate as the certificate created for the web portal. The certificatesupports SSL/TLS authentication types.

Create a Certificate and Add to the BeyondInsight Server

To avoid certificate error messages when initiating an RDP session, create a certificate signed by a valid Certificate Authority (CA) for theBeyondInsight server. Add that certificate and the certificate chain to the BeyondInsight server certificate stores. Use the high-level stepsbelow as guidance:

Create the Certificate Request

1. On the BeyondInsight server, open IIS Manager.2. On the local host node, select Server Certificates, and then select Create Certificate Request.3. Go through the Request Certificate wizard. On the Cryptographic Service Provider Properties page, select a bit length of

2048.

Note: The Common Name equals the server name or the IP address, depending on the URL you are using for theBeyondInsight log in page.

For example, server name could be an IP address, the server short name, or a fully qualified domain name:

https:\\<server name>\webconsole

common name = <servername>

4. Enter a file name for the certificate request and set the location to the desktop.

Sign the Certificate

The procedure for signing the certificate varies, depending on your company’s CA implementation.

1. Go to your Certificate Authority website.2. On the Certificate Request or Renewal Request page, copy the text from the certificate request file.3. Be sure to selectWeb Server as the Certificate Template type.4. After you click Submit, download the certificate and certificate chain to your desktop.5. Copy the files to the BeyondInsight server desktop. This will be the server certificate.6. Open IIS Manager on the BeyondInsight server, and click Complete Certificate Request.7. On the Specify Certificate Authority Response page, find the file on your desktop, enter a friendly name, and use the default

Personal certificate store.

Bind the Server Certificate to the Default Web Site in IIS

1. Right-click Default Web Site, and then select Edit Bindings.2. Select https on port 443, and then click Edit.3. From the SSL certificate list, select the server certificate created earlier, and then clickOK.

Add Certificate Chain


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. On the BeyondInsight server, openmmc and add the Certificates snap-in.2. Expand Trusted Root Certification Authorities.3. Right-click Certificates then select All Tasks > Import.4. Go through the Certificate Import wizard to import the certificate chain file (created earlier).5. Select the appropriate file extension. Be sure to store the certificate in Trusted Root Certification Authorities.

Enable Smart SizingWhen in an RDP session, the user can choose to smart size the client window so that no scroll bars display.

You can enable Smart Sizing on the Session Monitoring Configuration page by selecting the check box.

Turn Off Font SmoothingFont smoothing is turned on by default. To turn off font smoothing, change the following registry key value from 0 to 1.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\disable_font_smoothing= 1 (DWORD)

Configure PortsPorts can be configured using the BeyondInsight Configuration tool. In the configuration tool, scroll to the Password Safe section to setall port values.

These ports are configurable underGlobal Settings. The default inbound port connections to the Password Safe proxy:

l RDP: 4489l SSH: 4422

Session Countdown DurationYou can configure the maximum amount of time for which the session countdown timer will be displayed by setting the following registrykey:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\countdown_duration(DWORD value in seconds, default is 1800)


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure Session MonitoringSession monitoring records the actions of a user while they access your password-protected managed systems. The actions are recordedin real time with the ability to bypass inactivity in the session. This allows you to view only the actions of the user.

You configure session monitoring when you add or edit a managed system.

There are additional settings that you need to configure, such as listen host and screen resolution.

Configure Listen Host and File Location

Using the BeyondInsight Configuration tool, you can set the listen host and file location for the monitored sessions.

1. Open the BeyondInsight Configuration tool.2. Go to the Password Safe section.3. Enter the IP address for the listen host.4. Set the location for the session monitoring file. The default location is in the installation directory \data\sessionmonitoring.

Configure Concurrent Sessions

Remote sessions can be limited to a set number of concurrent sessions.

The option to increase or limit the number of sessions a user can open at one time is configuredin access policies, when setting the schedule.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

If a user tries to open more sessions than allowed, a message is displayedon the Requests page.

For more information, please see "Configure Password SafeAccess Policies" on page 45.

Use Session Masking

Passwords can be hidden from session replays by applying a mask. When session masks are active, an SSH session recording at thattime will check the keystrokes against the mask. Any matches are replaced. When the keystroke session is replayed, the viewer sees theasterisks instead of the password. More than one mask can be active at a time.

Masks can be created, changed, and deleted. These actions are capturedin user auditing.

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Session Masks.2. To create a mask:

l Click Create New Mask.l Enter a name for the mask and the mask pattern.l Check the Active option.l Click Create Session Mask.

3. To edit a mask:

l Click theMore Options icon for the mask, and then select Edit Session Mask.l Edit the name for the mask or the mask itself.l Check or uncheck the Active option as appropriate.l Click Update Session Mask.

4. To delete a mask, click theMore Options icon for the mask, and then select Delete.

Customize Session Images

As a Password Safe administrator, you can add corporate logos to replace default brand splash, replay, and lock images.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

IMPORTANT!

You must clear the browser cache to see new images after they have been updated. Also, all image files should be backed up in asafe location because they will be overwritten on the next upgrade and must be replaced after the upgrade completes to restore thecustomization.

Customize Splash Image

To customize the splash image:

1. Place the customized splash.png file in this directory:

/eEye Digital Security/Retina CS/ Website/images

Note: Size must be 1024 x 768px

2. Rename the original splash.png file or move it to another location.3. In the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy] registry

key, add a string value of splash_png with a value of the path to the customized splash image.

Customize Replay Images

To customize the Admin > Replay logos:

Modify the following files:

l C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder.jpg


l C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\rdp-placeholder-lg.jpg


l C:\Program Files (x86)\eEye Digital Security\Retina CS\website\images\ssh_placeholder.jpg


Customize Lock Image

To customize the lock image that appears to the end user when an administrator locks an active session:

1. Place the customized lock.png file in this directory:

/eEye Digital Security/Retina CS/ Website/images


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2


2. Rename the original lock.png file or move it to another location.3. In the [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\rdp_proxy\lock]

registry key, add a string value of png with a value of the path to the customized lock image.

Configure Recorded Sessions in a Multi-Node Environment

In a multi-node environment, sessions can be viewed from any node in the environment, regardless of the node it was created on.

SSL certificates are used to ensure secure communication between the nodes. You must create a certificate using a Certificate Authority(CA) and import the certificate on each of the nodes.

When setting up the certificate, the Password Safe agent host name (or host name override) must match the Issued to details on thecertificate properties in the Certificates snap-in.

Note: The CA certificates that issue the SSL certificates (the Issued by on the certificate properties) must be trusted by allnodes in the environment.

To confirm the host name matches the Issued to field:

1. In the BeyondInsight console, go to Configuration > Privileged Access Management Agents > Session Agents.2. Select the agent from the list, and view the host name indicated in the Host Name Override box.3. Open the Windows Certificates snap-in, and then double-click the certificate.4. Confirm the name of the certificate in one of the following places:

l On theGeneral tab, confirm the host name is the same name as in the Issued to field.l On the Details tab, scroll to the Subject field and confirm the CN=<name>matches on the agent host name.

Configure Keystroke Logging

Password Safe records keystrokes for all recorded sessions. Keystroke logging is enabled by default. When you open a recorded session,the pane on the right displays keystrokes. You can select a keystroke entry to view where that keystroke occurred. You can also filterkeystroke entries by date, time, or keystroke in the Search box.

Turn Off Keystroke Logging

From theGlobal Settings > Session Monitoring configuration, you can turn off keystroke logging for ISA users and admin sessions.

Keystroke logging can be enabled for all other users when setting the scheduling options for an access policy.

1. In the BeyondInsight console go to Configuration > Privileged Access Management > Global Settings.2. Under the Session Monitoring settings, clear the applicable keystroke logging options.3. Click Update Session Monitoring Settings.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Enhanced Session Auditing

Enhanced session auditing captures and records all mouse activity in the Keystrokesmenu of Recorded Sessions for RDP and RDPapplication sessions. Enhanced session auditing is enabled by default. It uses the rules in the access policy for Admin Session multi-session checkouts. During a recorded RDP session, an agent called pbpsmon is installed on the host for the duration of the session. Theagent monitors and audits Windows click events.

Note: Session monitoring captures text that is copied in an RDP session window. The copied text is captured only the firsttime. Any subsequent copy tasks of the same text are not captured for the session.

To use enhanced session auditing, the functional account of the managedWindows host or Remote Desktop Services host needsadministrative rights.

Turn Off Enhanced Session Auditing ISA Users

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Global Settings.2. Under the Session Monitoring settings, clear the applicable enhanced session auditing options.3. Click Update Session Monitoring Settings.

You can turn off enhanced session auditing for admin sessions and all other non-ISA users, when setting the scheduling options for anaccess policy.

Troubleshoot Enhanced Session Auditing

The following files are deployed as part of enhanced session auditing:

l pbpsdeploy (Password Safe Deployment Agent service)l pbpsmonl pbpslaunchl pbpsmon and pbpslaunch (These are contained in a cab file that is copied to the Windows directory and extracted to C:\pbps\.)

pbpsdeploy

The pbpsdeploy.exe file resides in the Windows directory (C:\Windows).

l Access to ADMIN$ is required to copy pbpsdeploy.exe from Password Safe to the target server.l Confirm the service is displayed in the Services snap-in after deployment.l The output from the deployment service should be in the pbsm logs.

Example:

2017/03/07 15:47:12.186 2292 6548 INFO: Pushing pbpsdeploy service to 10.200.28.39 asuser backupadmin2017/03/07 15:47:13.528 2292 6548 INFO: Starting pbpsdeploy service on 10.200.28.39 asuser backupadmin2017/03/07 15:47:13.593 2292 6548 INFO: Copied pbpsmon.cab

2017/03/07 15:47:13.716 2292 6548 INFO: pbpsmon install:


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Using binary directory C:\Windows\Created directory C:\pbpsExtracting File "pbpsmon.exe" (Size: 15872 bytes) -> "C:\pbps\pbpsmon.exe"Extracting File "pbpslaunch.exe" (Size: 145408 bytes) -> "C:\pbps\pbpslaunch.exe"Extracting File "msvcp120.dll" (Size: 455328 bytes) -> "C:\pbps\msvcp120.dll"Extracting File "msvcr120.dll" (Size: 970912 bytes) -> "C:\pbps\msvcr120.dll"Extracting File "vccorlib120.dll" (Size: 247984 bytes) -> "C:\pbps\vccorlib120.dll"Extracting File "libeay32.dll" (Size: 1359872 bytes) -> "C:\pbps\libeay32.dll"Extracting File "ssleay32.dll" (Size: 252928 bytes) -> "C:\pbps\ssleay32.dll"Creating registry keysRegistry keys successfully createdCreating taskTask successfully created

pbpsmon

Verify the following setup has been performed by the deployment service:

l In Task Scheduler, confirm the following task iscreated: BeyondTrust Password Safe Monitoring Task.

l In regedit, the following registry key is created, which creates the disconnect event:

HKLM\System\CurrentControlSet\Control\Terminal Server\Addins\PBPSMON

pbpslaunch

Verify the following setup has been performed by the deployment service:

l In regedit, the following registry key is created:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServer\TSAppAllowList\Applications\pbpslaunch


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l A pbpslaunch entry exists in RemoteApp Manager.

l Locate the log statement Accepting RDP Channel <name>. There should be one for pbpsmon, and if it is an application session,one for pbpslaunch.

Example:

2017/03/07 15:47:14.659 3672 4788 INFO: Accepting RDP Channel PBPSMON

l The Event Viewer on the target server includes setup and cleanup results of pbpsmon and pbpslaunch sent to pbsmd.

1. Open Event Viewer.2. Expand Windows Logs.3. Click Application.4. Filter the application log on Source = pbpsdeploy.

Note: You can prevent the session monitoring service from deploying pbpsmon and pbpslaunch on the managed system bysetting the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Beyondtrust\PBPS\SessionManager\rdp_proxy\use_pbpsdeploy = 0 (REG_DWORD)

Configure Algorithms used by the Session Monitoring Proxy

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used byPassword Safe between the user's SSH client and the SSH proxy are configurable using the following registry keys:

l HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\ciphersl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\host_key_

algorithmsl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\kex_algorithmsl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\macs


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

The encryption algorithms (ciphers), host key algorithms, key exchange (kex) algorithms, and MAC algorithms that may be used byPassword Safe between the SSH proxy and the managed system are configurable using the following registry keys:

l HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_ciphersl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_host_key_

algorithmsl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_kex_

algorithmsl HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BeyondTrust\PBPS\SessionManager\ssh_proxy\client_macs

Each of these keys, if defined, must hold a multi-string value (REG_MULTI_SZ), with one algorithm name per line.

For example, ciphers might be:

l aes128-ctrl aes192-ctrl aes256-ctr

This restricts the available encryption algorithms to those named.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Use DSS AuthenticationApplying DSS authentication on a managed system is a secure alternative to using password authentication. DSS authentication is set onthe functional account and managed account properties.

DSS authentication is supported on the following systems: Linux, AIX, HP-iLO, HP-UX, DRAC, MAC OSX, Solaris, Juniper, RACF.

Note: Password Safe accepts SSH keys in the OpenSSH format. This includes support for newer key types typically used inthat format, such as Ed25519

Generate and Distribute the Key

You can generate keys using puttygen.exe onWindows systems and ssh-keygen on Unix-based systems. Consult the systemdocumentation for other platforms.

Example: How to generate a 2048-bit RSA key pair with ssh-keygen. The user account used to perform the scan is admin.

# ssh-keygen –t rsa -m PEMGenerating public/private rsa key pair.Enter file in which to save the key (/home/admin/.ssh/id_rsa):/home/admin/.ssh/retina_rsaEnter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/admin/.ssh/retina_rsa.Your public key has been saved in /home/admin/.ssh/retina_rsa.pub.The key fingerprint is:7f:5f:e3:44:2e:74:3c:c2:25:2b:82:7c:f8:0e:2a:da

/home/admin/.ssh/retina_rsa contains the RSA authentication identity of the user and should be securely transferred to the systemrunning your scanner.

The file /home/admin/.ssh/retina_rsa.pub contains the RSA public key used for authentication. The contents of this file should be addedto the file ~/.ssh/authorized_keys on all machines that the user wishes to scan using public key authentication.

Create a Functional Account with DSS Authentication

Before you can create the account you must generate a private key. Copying or importing a key is part of setting the functional accountproperties with DSS authentication.

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Functional Accounts.2. Click Create Functional Account.3. For the Type, select Asset.4. Select a platform.5. Select the elevation if desired.6. Enter the username and password.7. From the Authentication Type list, select DSS.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

8. Upload the DSS key file.9. Provide an alias and description, and then click Save New Account.

For more information, please see "Generate and Distribute the Key" on page 114.

Create a Functional Account on the Unix or Linux Platform

Create an account on the Unix or Linux platform with a name like functional_account.

The command applies to Password Safe v6.4.4 or later.

To assign necessary privileges to the functional account, invoke the command sudo visudo in the terminal and place the following linesunder the root ALL=(ALL) ALL line:

Note: Be sure to add sudo elevation to the functional account on the managed system. These commands are adjusted toreflect password changes and DSS key changes and are OS-specific.

MAC OSX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/sed, /usr/bin/tee, /usr/bin/passwd

UBUNTU/REDHAT

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /bin/sed, /usr/bin/tee, /usr/bin/passwd

SOLARIS

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/tee, /usr/bin/sed,/usr/bin/passwd, /usr/bin/rm

HPUX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/cp, /usr/bin/sed, /usr/bin/tee,/usr/bin/passwd, /usr/bin/rm

AIX

functional_account ALL=(ALL) NOPASSWD: /usr/bin/grep, /usr/bin/pwdadm, /usr/bin/tee,/usr/bin/passwd, /usr/bin/sed, /usr/bin/cp, /usr/bin/rm

Test the Functional Account

The key can be tested from the managed system.

1. From the menu, selectManaged Systems.2. Select the managed system, and then click theMore Options button.3. SelectGo to advanced details.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

4. Select Functional Accounts.5. Click Test Functional Account.

Set DSS on the Managed Account

An alternate and secure way to set up a managed account is with DSS authentication.

Before you can create the account, you must generate a private key. Copying or importing a key is part of setting the managed accountproperties with DSS authentication.

To create a managed account with DSS authentication:

1. From the menu, selectManaged Systems.2. Select the managed system, and then click theMore Options button.3. Select Create Managed Account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

4. From the Authentication Type list, select DSS.

5. Configure all other settings as required and then click Create Account.


l "Generate and Distribute the Key" on page 114

l "Work with Managed Accounts" on page 20

DSS Key Auto Management

A DSS key policy is set on a managed system that supports DSS authentication.

The Auto-Managed DSS key option enables DSS key auto-management to take place when the password for the account is changed,either manually or scheduled. It follows the same schedule as password changing.

Generating a new DSS public/private key pair will remove the old public key (if there is one) from the authorized_keys file and append thenew public key.

For more information, please see "Create a DSS Key Policy" on page 118.

Get the Public Key

1. Go to theManaged Accounts page.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. Select the account and then click theMore Options button.3. Select Public Key.

Note: If a public key has been supplied, a popup displays thecurrent public key.

Create a DSS Key Policy

Password Safe ships with a default DSS key policy:

l Type: RSAl Bit size: 2048l Encryption: Auto Managed Passphrase is Default Password Policy

You can change the settings for the default policy but you cannot delete the policy.

Optionally, you can create additional policies.

1. Select Configuration > Privileged Access Management > DSS Key Policies.2. Click Create DSS Policy.3. Provide a name and description.4. Select a Key Type: RSA or DSA.5. Enable encryption.6. Select a password policy.7. Click Create DSS Key Policy.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure Password Safe Agents

Configure the Password Change Agent

Password Safe automatic password changes are controlled by the change agent that runs as a service on the appliance. When thechange agent runs, it checks the configuration to determine operational parameters of the appliance. Logs provide a record of the changeagent activities and messages, and indicate success or failure.

The following overview explains how the change agent runs:

1. The change agent retrieves a process batch from the database. A process batch consists of one or more managed accounts thathave been flagged for a password change.

2. The passwords are changed on the managed accounts, and the change is recorded.3. The change agent waits a set period of time for a response from the change job and moves to the next process batch in the

database batch.

Recommendations

To maximize efficiency, we recommend a small batch size (such as 5) and a short cycle time (such as 60 seconds). If a password changefails, the change agent reprocesses it according to the retry value in the change agent settings.

1. In the BeyondInsight console, go to Configuration > Privileged Access Management Agents > Password Change Agent.2. Set the following:

l Enable Password Change Agent: Leave enabled to activate the agent whenPassword Safe starts.

l Active Change Tasks: The number of accounts to change.l Check the change queue every (seconds): The frequency at which Password

Safe cycles the password change queue.l Retry failed changes after (minutes): The amount of time before a failed

password change is tried again.l Maximum retries: The maximum number of times an attempt is made to

change the password after a failed password change attempt occurs.l Unlimited Retries: Enable to allow retries when a password change attempt

fails.

3. Click Save Configuration.

Configure the Mail Agent

Password Safe uses email to provide notification between approvers and requesters, error alerting, and general information delivery.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. In the BeyondInsight console, go to Configuration > Privileged Access Management Agents > Mail Agent.2. Set the following:

l Enable Mail Agent (Running): Enable to activate the mailagent when Password Safe starts.

l Send mail every x minutes: The number of minutes thatpass before emails are sent.

l Delete messages after x failed attempts: The number oftimes the mail agent attempts to send an email.


Configure the Password Test Agent

The password test agent allows you to manually test all managed accounts and functional accounts. The test ensures that there is anopen connection between the assets and Password Safe. BeyondInsight sends a notification email.

1. In the BeyondInsight console, go to Configuration > Privileged Access Management Agents > Password Test Agent.2. Check the Enable Password Test Agent box.3. Set the schedule, and then click Save Configuration.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure Session Agents for Remote Proxy Sessions

In a distributed environment where there is more than one BeyondInsight instance installed, a Password Safe user can request a sessionto a remote instance. In this scenario, the user can request passwords and sessions for a remote instance by selecting a node on theRequests page in the Password Safe web portal.

BeyondInsight uses session agents to provide automatic heartbeat statuses to the primary BeyondInsight server. On startup the agent isset to Active, and on shutdown the agent is set to Inactive. The agent provides a status every five minutes. The Password Safe webportal displays only the active agents as nodes.

Configure a Display Name for a Session Agent

The display name is what appears as the name of the node in the Password Safe web portal. Configure the display name as follows:

1. In the BeyondInsight console, go to Configuration > Privileged Access Management Agents > Session Agents.2. The Session Agents pane lists the active and inactive agents.

Select an agent, and then enter the Display Name in the Detailspane for that agent.

3. If the DNS name for the remote server is different from the primaryBeyondInsight server, you can define a custom host name in theHost Name Override box. This ensures your connection to thehost is valid and secure if using a custom certificate.

4. In the Display Name box, enter the node name that you want todisplay in the Password Safe web portal.


Enable the Node Selector in Password Safe

If you want users to access specific BeyondInsight instances in the Password Safe web portal, then you must turn on the applicableSessions setting inGlobal Settings configuration.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. In the BeyondInsight console, go to Configuration > Privileged Access Management> Global Settings.

2. Under Sessions settings, click the toggle to enable the Allow users to select aremote proxy when creating sessions option.

3. Click Update Sessions Settings.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Add Ticket Systems to the List on the Requests PagePassword Safe can be configured to allow references to ticketing systems in the password release requests. This provides a method toinclude information that can be cross-referenced to an existing ticket or change control system for auditing purposes, or to be used in theapproval process.

You can create a list of ticket system labels to populate the Ticket System list on a request.

1. In the BeyondInsight console, go to Configuration > PrivilegedAccess Management > Ticket Systems.

2. In the Ticket Systems pane, click Create New Ticket System.4. Select BeyondTrust Ticket System from the Platform list.5. Enter a name and description.6. Click Save Ticket System.

For information on integrating third party ticket systems, such as BMC Remedy, CA Service Desk, Jira, and ServiceNow withBeyondInsight and Password Safe, please see the following:

l BeyondTrust BeyondInsight Guides at https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/index.htm

l BeyondTrust Password Safe Guides at https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/index.htm


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/index.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/index.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/index.htm



Customize Email NotificationsEmail notifications are used to alert users on particular Password Safe actions, such as connection profile alerts, release requests, andpassword check failures.

Email Notifications Sent by Password Safe

The below table lists the email notifications that are sent to Password Safe users. It includes the event type that occurs to initiate the emailnotification and the account types that receive the email.

Local Accounts (Includes non-domain asset and database managed systems)

Event Account Not configurable Configurable by template settingsRelease Request Managed NA l Account's Approver

l Requester (CC)l Asset's ISA

Request Response Managed NA l Account's Approver (CC)l Requesterl Asset's ISA

Password ChangeFailure

Managed l Managed System's ISAl Built-in BeyondInsight Administratorl Managed System contact person

(Managed Systems settings UI)

NA

Functional l Managed System's ISAl Built-in BeyondInsight Administratorl Managed System contact person


NA

Password Check Failure Managed l Managed System's ISAl Built-in BeyondInsight Administratorl Managed System contact person


NA

Functional l Managed System's ISAl Built-in BeyondInsight Administratorl Managed System contact person


NA

Privileged PasswordRelease

Managed l Managed Account ReleaseNotification Recipients (ManagedAccounts settings UI)

NA

Non-Managed ReleaseExpiration


NA


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Domain Accounts

Event Account Not configurable Configurable by template settingsRelease Request Managed NA l Account's Approver

l Requester (CC)l Domain Management permission (with

Read/Write)

Request Response Managed NA l Account's Approver (CC)l Requesterl Domain Management permission (with

Read/Write)

Password ChangeFailure

Managed l Domain Management permission(with Read/Write)

l Built-in BeyondInsightAdministratorl Managed System contact person


NA

Functional l Domain Management permission(with Read/Write)

l Built-in BeyondInsight Administratorl Managed System contact person


NA

Password Check Failure Managed l Domain Management permission(with Read/Write)

l Built-in BeyondInsightAdministratorl Managed System contact person


NA

Functional l Domain Management permission(with Read/Write)

l Built-in BeyondInsight Administratorl Managed System contact person


NA

Privileged PasswordRelease


NA

Non-Managed ReleaseExpiration


NA

Customize Mail Templates

The subject line and message body for a template can be customized in Password Safe configuration.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. In the BeyondInsight console, go to Configuration > Privileged Access Management > Mail Templates.2. Select a mail template type from the list.3. Type the subject line text.4. In theMessage Body field, add the text for the email:

l Copy a tag from the Body Tags section to a location in themessage body.

l When working within cumulative alert emails, ensure youadd any additional body tags within the <ROW></ROW>elements.

l To include hyperlinks that link directly to the approval anddenial pages for a file or password request, use the:approvallink: and :denylink:message body tags.

5. Click Save Template.

Note: Only one <ROW></ROW> tag can be added to the mail template. If you wish to add more tags, they must be added tothe row already present within the template. For example:

<ROW>:AlertTimeUTC: | :AlertTimeClient: | :ComputerName: | :AccountName: |:AccountDomain: | :DNSName: | :IPAddress: | :EventCode: | :EventReferenceId: |:SubjectSID:</ROW>


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Configure Workgroups for Multi-Node and Multi-Tenant EnvironmentsPassword Safe allows you to assign worker nodes to workgroups to give the user more granularity on password changes. Password Safeuses workgroup assignments at the managed account level to allow Password Safe worker nodes to process password changes,password tests, and account notifications for their designated workgroup.

If a worker node is not assigned to a workgroup, the worker node will function on a global level and can change any account that does nothave a designated workgroup assigned.

Create a Password Safe Worker Node

This is an automated self registered process, so it is not possible to add worker nodes manually. When any node in an active activeconfiguration is running Password Safe, v6.0 or higher, the worker node registers with the BeyondInsight database.

You can view registered Password Safe worker nodes from Configuration > Privileged Access Management > Worker Nodes.

Assign a Password Safe Worker Node to a Workgroup

1. Select Configuration > Privileged Access Management Agents > Worker Nodes.2. Select a worker node from the list on the left. The following options

display:

l Organizations: Use the drop-down list to select theorganization.

l Unassigned: The node is not assigned.l Assign to existing workgroup: If selected, use the drop-

down list to select the workgroup you want.

3. Click Save Worker Node when done.

Assign a Workgroup to a Managed Account

You can assign a workgroup to a particular managed account by editing the managed account or by using a Smart Rule.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

To assign a workgroup to particular managed account, go theManagedAccounts page and select the account to edit. On the Edit ManagedAccount page, select a workgroup from the dropdown list.

Note: If you set the workgroup value to None, the account can bechanged by any Password Safe agent.

To assign a workgroup using a Smart Rule, go the Smart Rules page, andcreate or a edit an existing rule. Under Actions, select Assign workgroupon each account.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Assign Agents to Workgroups for Multi-Tenant Environments

After your BeyondInsight environment is configured with multiple organizations, the Password Safe worker nodes must be assigned to aworkgroup. Multiple worker nodes can be assigned to one workgroup. This distributes the workload and allows Password Safe to scale ifneeded for the organization.

In a multi-tenant environment, each organization requires at least one worker node. You can only assign a worker node to oneorganization. Assigning a worker node to more than one organization is not a supported implementation.

Note: Any managed accounts that are in a workgroup that is not assigned to a worker node will not be processed.

Note: Every time a worker node is reassigned to a workgroup, the Password Safe omniservice must be restarted.

After the worker nodes are assigned, managed accounts can be reassigned to a different workgroup, if required. Managed accounts canbe assigned to workgroups manually by editing the Managed Account or by creating a Smart Rule to bulk assign accounts to a newworkgroup.


l For more information on assigning managed accounts to workgroups, "Assign a Workgroup to a Managed Account" onpage 127

l For more information on how to configure a multi-tenant environment, the The BeyondInsight User Guide athttps://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/multi-tenant.htm

Synced Accounts in a Multi-tenant Environment

When viewing synced accounts on a managed account in a multi-tenant environment, only synced accounts in that organization aredisplayed.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/multi-tenant.htm

https://www.beyondtrust.com/docs/beyondinsight-password-safe/bi/user/multi-tenant.htm

Configure and Use Team PasswordsThe Team Passwords feature allows you to securely store credentials owned by small groups in a controlled environment that you canaudit. Password Safe administrators may assign groups in BeyondInsight to teams, in which each team has its own isolated store whereusers can secure credentials used within that team. The creator of the credential becomes the owner and may assign ownership of thecredential to the entire team or one or more individual members. Password Safe administrators and credential owners can managecredential ownership, edit credentials, and delete credentials, while teammembers may only view and retrieve credentials. Teammembers can create a folder structure to organize their credentials. Credentials can be found and accessed easily using search andfiltering options.

Assign a Group to a Team in Team Passwords

Access to Team Passwords is granted to users by assigning permissions for the Team Passwords feature to a group in which the usersare members.

1. In the BeyondInsight console, go to Configuration > Role Based Access > User Management.2. Click the vertical ellipsis for the group you want to assign the Team Passwords feature to, and then select View Group Details.3. From theGroup Details pane, select Features.4. From the Features pane, select the Team Passwords feature.

Tip: You can filter the list of features by All Features or DisabledFeatures, and Feature Name to quickly locate the TeamPasswords feature.

5. Click Assign Permissions, and then select Assign PermissionsRead Only.

6. User who are members of the group are granted access to theTeam Passwords page, where the group is listed as a parent levelfolder representing the team.

Note: Removing the Team Passwords feature from the groupremoves all folders and credentials in the team.

Create a Credential in Team Passwords

Users can create credentials in the parent folder for any of their teams or in any of their team's subfolders. The user who creates thecredential is its owner by default but may change ownership at time of creating the credential or after the credential has been created.Owners may change the folder for credentials after they have been created.

1. From the left navigation pane in the console, select Team Passwords.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. From the Folders pane, select a folder, and then click Create NewCredential.

3. In the Create New Credential pane:

l Enter a Title, Description, Username, and Password.l ClickManage Ownership if you wish to assign ownership

to individual teammembers or to the entire team.l Click Create Credential.

Manage Folders in Team Passwords

Users can organize their team credentials into subfolders under the parent team folder to make locating a credential more efficient.

1. From the left navigation pane in the console, select Team Passwords.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

2. To create a new folder, select the parent folder for the team or oneof its existing subfolders, and then click Create New Folder.

3. Enter a name for the folder, and then click Create Folder.

4. The new folder is listed under the folder you selected when creatingit. To edit the folder name or to delete the folder, select the folder,click the vertical ellipsis, and then select Edit Folder or DeleteFolder.

Note: You cannot delete parent team folders. Only subfoldersmay be deleted. Also, if you do not own all of the credentials in asubfolder, you are not able to delete it.

For more information on how to move a credential to a newsubfolder, please see "Edit and Delete a Credential in TeamPasswords" on page 133.

View and Copy a Credential in Team Passwords

Users can view details for their team's credentials, such as who owns the credential, when the credential was created and modified, andthe folder path for the credential. Users can also copy the username and password for a team credential so they may use it.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

1. From the left navigation pane in the console, select Team Passwords.2. From the Folders pane, select a folder, and then select a credential.3. Click the vertical ellipsis for the credential.4. To quickly copy the username and password, select those options

from the dropdown menu.5. To view the details for the credential, select View Credential from

the dropdown menu.

6. To view the credential password, click the eye icon in the credentialdetails pane.

7. To copy the credential password , click the copy icon in thecredential details pane.

Edit and Delete a Credential in Team Passwords

Credential owners can edit the properties and manage ownership for credentials they own and may also delete credentials they own.Password Safe Administrators can edit the properties, manage ownership, and delete all credentials in Team Passwords.

1. From the left navigation pane in the console, select Team Passwords.2. From the Folders pane, select a folder, and then select a credential.3. Click the vertical ellipsis for the credential.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

4. To delete a credential, select Delete Credential, and then clickDelete on the confirmation message.

5. To edit a credential, select Edit Credential.

6. Modify the Title, Description, Username, Password, and Folderfor the credential as required.

7. To manage the ownership of the credential, clickManageOwnership.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

l Enable the Assign Ownership to Entire Team option to assign allmembers of the team as owners of the credential. When newmembers are added to the team, they are automatically assigned asowners of the credential.

l Alternatively, select individual teammembers as owners.l Click Apply Ownership Settings.

8. Click Save Credential once you have made your edits.


TC: 7/26/2021

PASSWORD SAFE

ADMIN GUIDE 21.2

Documents

Password Safe Administration Guide - BeyondTrust · 2021. 2. 25. · PasswordSafe AdminGuide7.2 ©2003-2021BeyondTrustCorporation.AllRightsReserved.Othertrademarksidentifiedonthispageareownedbytheirrespectiveowners